23542300x800000000000000021864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:40.647{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCB41E9A1B6C4E178974DB12C1D77D0,SHA256=3EAFC8C465A66761323C7D9085B4F732A01DA0C9816EEC7FB934597465981330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:40.491{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C4E027F34998AA497BFE8ED3679A48,SHA256=D95957F87D1ECCB14756068B3795E5B56367C4BF9D682E81387E946776F05323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:41.746{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4737753AAD5E133D65A30DE1D035E534,SHA256=B989F13004A5E4D60602B6B472C642D7A9361EE7246BA8602D0BDBA9D68C6DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:41.509{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5465C802CE6ADBFA219BC603AFAFA258,SHA256=227D2A7B494F16C37E0F2328209F9B93FFA95708B55D3BF9BB2971B7BEA83BCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:42.879{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B391DFD51574A0DEF6301C27A98DA19B,SHA256=9A4DD583B83B6E70A37FC5500BF6C90D8DB6FA1819C0907E1D225970C4C67F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:42.629{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03AE2BD63BFDA1042741CBCDE98CF74E,SHA256=0A233833DDDA6ACBED6B846C09FFA41794FEC821F4A553C6585DDF4E9DA200A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:41.388{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50398-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:43.683{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCFABE5D62AB807EBDCF8FB61CEAF2C,SHA256=27CD2600696913C3FF7A0780A6A11EAAF32FD1E2981EBA52B6A219C291476DB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:39.306{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65358-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:44.701{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE1E519F8EF94633240C4D07699DC8AF,SHA256=EA0A17AA91DD70B4442380D1C62199BD039904D1A55C27EB066199654BA6A3C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:43.998{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9BCA390E41FFCDF09219E48AA5AEE45,SHA256=AAF7B1D8E495DF3FC23AB26DBE554D8640C96D1F78508AE26F70D0412FD9753D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:44.115{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=6AE70C80B9414F64D22B74C37FB1A753,SHA256=00557A99757EE7B6376A4FC014EA8888F03E080118A6707F5040AA8D6CCFEA48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:44.115{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=EEDC9FF5E7F2D31913516146FAE86984,SHA256=C6F32341DCDE294EC4991D149566D83CE3797A32BA440A8045E1A87E17F1B7DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:44.115{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=7657411E92B17ADBBD955B4BCD36DE67,SHA256=7703B0A9147988CAC10DB625BE725FBA67D72DFB0B2FF0532C6BC0AD67F6166F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:45.736{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266F5F1827D46769230773F5E3C68022,SHA256=5526CAA9C34D169C4C13698465579290BDEA2320CCC20A32BE52DDC0AE35E9E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:45.028{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E14744F267FB936D986568C7E1ED53,SHA256=68F71D7FC5953BDC92C84134A8A0FD714ADCCBA470EC1902B5DF60D5EBB95007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:46.790{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91224D893F495E29BA2A4B80906DB0E,SHA256=554476B37608610D39A2FC28884EE10A7F68872A0A51958686FCEE727F390DB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:46.060{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC8CF42CBC87AD9CF2662AE7F58E0FC6,SHA256=D8CEDC31175663785BA8E2BB98137148BEF8954D1B5E3A34CE70C64FE245E855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:46.538{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1500-00000000DC02}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:46.537{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1500-00000000DC02}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:46.537{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1500-00000000DC02}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000026871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:47.833{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE4D69F413E93C50C9BBF6D74C60B58,SHA256=46EA7224C8D11A129DA879939A62AFEDBD8B14266982A5A07F435C2B048CF846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:47.159{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE0D4914AC520E58AED607F4C91608F,SHA256=189EF8CC9B5C478C7B3CFB093E21317FD862F41A70A09C95A5540800CFD2ADEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:47.108{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D8DC2E91218AF8D46C18F020366776B9,SHA256=1F252E206511DE829D540CEA94FC72548760D9E85A38378B53C20C7208525514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:48.853{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7373648FBF26A57709D7964195536AAC,SHA256=72E5806AB2028A84CFB8B805260425BF16B80D59774E7BD828E4AE1F8EBC2488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:48.192{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F403EFCF291232AFA809CB85DCE57D,SHA256=1B29FCF8177444A217E1721944305A9EEB979DB1FC248B6A9A033EFBA0D98787,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:45.367{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65359-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:49.879{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C3FD086B2AD23B987CBB1AA7FBBEF3F,SHA256=8AF677A37CA79AB270D04836B9459E86D2EF2522AB5E13874FBB2E4194DD0EE6,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000021875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-DeleteValue2023-04-21 11:51:49.595{223CB5FF-6DE2-6442-1100-00000000DD02}968C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BITS\Performance\PerfMMFileName 23542300x800000000000000021874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:49.295{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B75DABDA86F572C013787BC07F9269,SHA256=383BDA4CE76C755705C489A2BC4D7782D37D95890998C65B0CE6CB4EC61EAFFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:46.485{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50399-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:50.909{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0240943584EF7E156A74F88B8B0C0A,SHA256=F4DDBAA9C9C015FE88BA4C2D8FB1728B11BD974FBA92D9930CD9A5326A6C76DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:50.675{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=355528BE2E31D14F5F4E1B79CF901D9C,SHA256=C4FEB7DA5E1265C76C3896B971F83E9351F0FCB4BD36BAE7414DC46A973165A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:50.426{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B86181461F10CD6A54D7419B6C800E30,SHA256=ECBA637EC6C8D2B8AB05877C7B3909749CB7F07C509866401877D02F6A7FF0CF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000026880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:51:50.223{AF4EC832-6B63-6442-1100-00000000DC02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000026879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:51:50.223{AF4EC832-6B63-6442-1100-00000000DC02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000026878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:51:50.223{AF4EC832-6B63-6442-1100-00000000DC02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000026877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:51:50.223{AF4EC832-6B63-6442-1100-00000000DC02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d97447-0xa87a5b02) 13241300x800000000000000026876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:51:50.223{AF4EC832-6B63-6442-1100-00000000DC02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000026875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:51:50.223{AF4EC832-6B63-6442-1100-00000000DC02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x800000000000000026882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:51.942{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B61A15DDAD24D71A266DEE4BF7B6A8,SHA256=EE0F78004483C748ABEE883CFD2A8A186DE3ADA5A42C411E4F95985295E0A486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:51.474{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192D454C05E8FDE9B03ABA0FFC2E24F2,SHA256=69373227F37FB3DFA0AE623376A69633F2CE998D0AACFBF9D2AA62FB275CFA4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:52.589{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=846EEB9CBD3B69761C3FB2F8CE9B24BF,SHA256=7A3AD96BF10D22D3150EC2A4AEA69BA599EA453065A6CD6818D5F5FD24773A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:52.962{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAEE8C4FAEAD4D7D01F95FA45AAC85D0,SHA256=A7303D126A0478C99B540FDF5EDBBB6AE730CE3FCD8604EADF78D91E50BF2FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:53.623{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE6CFB22717E452685EB4608E045B76,SHA256=B37FCD6E113234CC5AC94E898D273371D4451D43FFBCB68167B1049657CD5096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:53.988{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D1D0ABAB3B12863FAD215E30D858A0,SHA256=D4E693FAC6F0812F2DCA4B1FF492DB2655E417B3FD2EE3136C9C1638902A75DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:54.654{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB03C2FB5EADFEE80B8137D73A939D18,SHA256=66677E565872D64488A8710AD8CFF5DDA128C8DF3BDB36FDE2A292489782592C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:51.388{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65360-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000021883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:55.772{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C351BAAF5718DFDBD3A6D954849BDF,SHA256=E8E3489C37383BA4A74D3EDEC3A88B4BF45E2E36968C206511A8821766F0385B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:52.443{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50400-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:55.019{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FB4B1FAEAEB79AC2E1F99A9550BAAC,SHA256=7F52F5A8245F96448A3F1BFD41AB3406B4177B3225A2132EBBC657941CF33180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.790{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53E7E3867E85401120FB43A1868E774,SHA256=A72D87A547DCAB4C0D1EEDD03D165F5A7EC49C9C7DEF1E455E982ED2C517F659,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.471{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-78DC-6442-E402-00000000DD02}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.471{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.470{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.470{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.470{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.470{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-78DC-6442-E402-00000000DD02}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.469{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-78DC-6442-E402-00000000DD02}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.469{223CB5FF-78DC-6442-E402-00000000DD02}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:56.037{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9EB3F1864AC2F389BF3C1D6E9AF6BD0,SHA256=04A7B84E53228D17E3351549C84CB629AF8564F4047FD15C1FC23779E4FC80EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.922{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE14E2F3F72B49446FC2D6169A58030,SHA256=7F7E87153CC7F1222AC81590448C6F7B4ED8B28381F75D44BD77FEAE91190E6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.922{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=74AD64A7380FE985F1914CB1B0842852,SHA256=747B58EFADC7F2CBAC67D3774901B442092379F05B2CF5A1C474FEC864D1E54B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.871{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-78DD-6442-E602-00000000DD02}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.871{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.871{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.870{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.870{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.870{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-78DD-6442-E602-00000000DD02}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.870{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-78DD-6442-E602-00000000DD02}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.870{223CB5FF-78DD-6442-E602-00000000DD02}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:57.059{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F318335D05321B17214E5BF352E617,SHA256=EF9D2ECA44B5DC382B14900060F4D36FF1FBC7C6EB8715C51A51DD80188B474A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.538{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CDF4E4FBC543CDEFF774EF286436CA0,SHA256=FC10ADF69808B182A65B736C1A99652A4B2BD78AE52D6E6E623A22C05C4FEBA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.372{223CB5FF-78DD-6442-E502-00000000DD02}24366652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.205{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-78DD-6442-E502-00000000DD02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.205{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.205{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.205{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.205{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.205{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-78DD-6442-E502-00000000DD02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.205{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-78DD-6442-E502-00000000DD02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.206{223CB5FF-78DD-6442-E502-00000000DD02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.952{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FCFB530057EB37D8A35CF4C031BB74,SHA256=5F9BE20F4E7E1496F2D517F5275B9288B936ED0753AA1620791DE7E405357847,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.852{223CB5FF-78DE-6442-E702-00000000DD02}44126804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.690{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-78DE-6442-E702-00000000DD02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.686{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.686{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.686{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.686{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.686{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-78DE-6442-E702-00000000DD02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.686{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-78DE-6442-E702-00000000DD02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.687{223CB5FF-78DE-6442-E702-00000000DD02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:58.079{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B275232F5B5B14134B9688938C4874A,SHA256=3DB4F693930DBEB678A0EF5F7FC6D0F7A4401F024683F6459748D51F130B8087,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000021937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:51:59.988{223CB5FF-6DE2-6442-1200-00000000DD02}104C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000021936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:51:59.988{223CB5FF-6DE2-6442-1200-00000000DD02}104C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000021935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:51:59.988{223CB5FF-6DE2-6442-1200-00000000DD02}104C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000021934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:51:59.988{223CB5FF-6DE2-6442-1200-00000000DD02}104C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d97447-0xae4c7d74) 13241300x800000000000000021933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:51:59.988{223CB5FF-6DE2-6442-1200-00000000DD02}104C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000021932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:51:59.988{223CB5FF-6DE2-6442-1200-00000000DD02}104C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x800000000000000026891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:59.364{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CA6CDA95F57C27579D14BE07689904A,SHA256=796AEEF8D806CDA430FEE3D7A0E017D487FAF406C70AB2A0FA14EAA20E8257A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:59.105{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F31A6D066AF25AAF5F022E674B342EE,SHA256=1E9BCC8D89D38135B8451E452045E7C4CF20F3757988F2289CF6CEC8CB28AF62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.572{223CB5FF-78DF-6442-E802-00000000DD02}64803208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.353{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-78DF-6442-E802-00000000DD02}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.353{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.353{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.353{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.353{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.353{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-78DF-6442-E802-00000000DD02}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.353{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-78DF-6442-E802-00000000DD02}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.354{223CB5FF-78DF-6442-E802-00000000DD02}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.924{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-78E0-6442-E902-00000000DD02}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.924{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.924{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.924{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.924{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.924{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-78E0-6442-E902-00000000DD02}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.924{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-78E0-6442-E902-00000000DD02}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.926{223CB5FF-78E0-6442-E902-00000000DD02}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.007{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F145FA599B0475B65C3ABDE6343F0A,SHA256=D14D821115678C702855B4BFDEFEC3D833A1319015060C197D8EECD08EA5588E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:57.205{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65362-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000026894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:56.445{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local65361-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000026893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:56.445{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local65361-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000026892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:00.139{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE5E121D4D83B37E6E70D1B96A0DEB2,SHA256=44510CC286DD3692F84EF914672ED5ECB7D23E153D04A91836D26034DC4BCD6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.495{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-78E1-6442-EA02-00000000DD02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.495{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.495{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.492{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.492{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.492{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-78E1-6442-EA02-00000000DD02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.492{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-78E1-6442-EA02-00000000DD02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.493{223CB5FF-78E1-6442-EA02-00000000DD02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000021949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.456{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50401-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000021948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.109{223CB5FF-78E0-6442-E902-00000000DD02}52366800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.056{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A5AD3662BF24B9BEE6C7BF39FAB46B,SHA256=DD357B6B1C71CFAFEDB72F26402A5E949B9AF90782D299FDF841F65B18C3AC1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:01.172{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C13F85893C0D3A65E5DC95EC0477DFB,SHA256=D62649F3273A1A247909610B2D82664C57F0DA4B59D3C71D561ACE052103A08E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:02.178{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4BFAF0FCF07B99C844487C02DDFEA10,SHA256=F5F70E91F763E4888AB1C746CB75BEEF2F35D80CB438D65D6B184F9BE94EB0C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:02.192{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE03BE402C81AB06ECD0370B46D82AD,SHA256=11FDC6232B83BF8B802CE3B56BF9CA83272E5816B63532B61CAF60FF116EB63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:03.214{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D622CC60F3393CA10EC501F839ECE5,SHA256=A60F2D52AD8502A501DD0438A6AB7EE9000F76DE4DC91B0DDC38901F94AF17BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:03.219{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DE6ED0CD3FDE8350CF966E1BC6256B,SHA256=7E43ACB3EDE6DB64358B3C8EB36FE6BD0341A40D1245521D0A3AFAF24B87DC49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:04.233{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA666BABCD5D5C7C9C423B7DEE9F0FC,SHA256=F7C4F2F159ADF7B740C6C40710876D6F342732FD220F97406FBD7729683BF172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:04.297{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF7E9F02837EBFB137E77AF88C70337,SHA256=6F84F562ACCC3A6C89F692A76268D7EE249A5952D616F6FDF090FFDDC98DD250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:05.366{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADFE82688293EF0E3BE27167881E1901,SHA256=1D0CDD7B275F8CA1032E492E16A7FF37844562F3E26F24875F1BEB77599EAFAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:05.323{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09BBA5F5E1F4494ED5A19BC3C3FD6C27,SHA256=07F11D8DD827BAC0F9EBDBD62D5435A665FFFD0F9D3022B2DE0AF6328F8650C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:06.437{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59A1985F4C70E99346B90BCBF09276E3,SHA256=388ECE5610A59774DFD1A71B9023EA264D76E70E6B30A41D17E08EB2025E1DC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:02.289{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65363-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:06.385{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FBB364AB724267366331FD22C852F8,SHA256=2762FFE86E7BEF87D5CA44B59F040439A5B2D37DB3B6C13F951E45D03C6E023B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:07.856{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E7A767B62E5ADBF5F352EE507A0EEAE2,SHA256=423435C8EB42779916C1F8D9C4E4BE86FD31BF02291F30AD978B7420CBDEB40E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:07.556{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46DAF329DBD11214F935F18EC54D7BB0,SHA256=E6D418CC629FD63668B514E3FAD32D67F381A3276D7BA0F5F639A9A1ED3D5B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:07.428{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518131E3754999032F16CE635078C6DE,SHA256=E194DDE77E95F2D420BBD955C82394CDD171571ECF11ED975DD3B43A12874327,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:04.338{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50402-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000021966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:08.591{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020890CE949CDA7CA27A52C43C59A720,SHA256=C145080795837BD0A3F6F851D4B6F3078103B236452DE53E69EC17B35509E68B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:08.459{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACBD61EFBC13A1C57B5F1C53CFA45B2,SHA256=5C99BB135040572CE3325DE94223A537FEC9A7899385E40686B911BFA7A07608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:09.630{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79C2D9919744DF9E5666DFFF3157B25,SHA256=1E6F46412FEDFFFCC25514D53B5A5916F55E76591468942C3D14E9972C6A6862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:09.509{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E875E4CE838D0C74E7E8C004A0DEC8E,SHA256=41C4953F247397B15D83CCF45386BBDDB41C41EB189AC04654C20BE9B5E78E5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:10.663{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C94CC1BC16359A66DE00070DAADF2CFB,SHA256=799F3AD6C3B46F525038C996853BDCDB2E58AF2D3FC189E08CF80096A63170FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:10.536{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF876A6AE7D31E743CE1091A0B98835,SHA256=A64CF9812370EBDE1FE78D3C3DA90289BE5507B7D11FDC0FE80BE901E79A1342,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:10.447{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1400-00000000DD02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:10.447{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1400-00000000DD02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:10.447{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1400-00000000DD02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000026906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:10.165{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-055MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:11.681{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBC51B6973573008AAB48F5A24EE04C,SHA256=E5B1F8061E64ABA5911D0C5162AC8407E6D103C2236858D5D7F52D4A369E7DB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:11.615{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39FA3BC56AA1714A346FDA3EDBC895A4,SHA256=D2A928C23E17791BEB509EC391DAA482EB4D82C2896112D20D6F77DF3583D649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:11.166{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-056MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:12.702{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE28B809074D108BD02F16499BF77B1,SHA256=2E7B68207E983CC3992BFFD8A92D5D9B3FA6A9FA108E1B2A6D37B5E3ABAFA95D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:12.668{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A57A5C6674EBE2354A1D52EC8AE053,SHA256=19D61F5274FF685977D34D9430B4A95031A216FAA8BACCF2AA84C5545D2FB047,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:09.400{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50403-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000026910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:08.304{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65364-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:13.702{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46AE67ABEC06047BA2C3BEB7DB7F3BAF,SHA256=640FC81E138263645E4BA69033E6C0380E9A208F509ACCBF3D6E165ACC375405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:13.740{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08F031E025D5B1426E3CEF5E0DFFB16,SHA256=9AB131A1DC0F278F8A668872CC2715E6BF0F95A743BDDBCAA1C59A9C71A8227B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:14.722{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7F982E62408E85908928838E88BD77,SHA256=3B1FE490D1F57789B3C503B26246221638E1CC92A036A167340B3804F1AB6664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:14.773{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E982492C724C5D1EAFD9D412DCAFA75,SHA256=1045C722AAE04B1AD3A1D97067D92E8747345CDF47036679825F4C87D69AC05C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.776{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E20EEB762B64E6526E2F562BA03BB48,SHA256=44A5652A83D445DF2FBF78A99AE34EFFA3011A7142B23CE40374592822840DC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:15.827{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D711C7B2F3009DF4FB24942AB7F1487C,SHA256=E231629D85E835C6B991C2B6974E584172746997F9300907027B52F06039E827,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.175{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-78EF-6442-3B06-00000000DC02}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.175{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.175{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.175{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.175{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.175{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-78EF-6442-3B06-00000000DC02}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000026915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.175{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-78EF-6442-3B06-00000000DC02}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000026914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.176{AF4EC832-78EF-6442-3B06-00000000DC02}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:16.848{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B152A67FFD7856590A7389A33C90F8,SHA256=66A079F423783A3EDC2660C19A6A71B6543CD8B0CC2D97E754F75AF88EE5D877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:16.910{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A1397FC4CF0824E4F56EC1C24EC662,SHA256=C9DBA94DFC84D9D6689C874F2BBFF81B6AF3C138868AAB86FED7056F7C21EAD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:13.387{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65365-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:16.253{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67D637271CDEE22396653A3EC0396548,SHA256=29D7E17079F3059BDF96A2179C422ABB9E2FF462FF21995436446BD0FB0984D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:17.967{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C593491FC87EFF2DEAA3A24A7B7EA3F3,SHA256=C074C91D2F49CDC5E5914455C45DA4334AA286E6CF0513AFC6C887EBBA488C68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.980{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376B81634A8657ABDC9E71882FCD077B,SHA256=4A501AC9D309967468CE4AD07DBA29AFDC94DFAB20DA9F6A88BB2DAB07AC6FE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:14.513{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50404-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.536{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C54DC49D6C8C735587ECF9BE9B838760,SHA256=42328C180F36DB73C17A08CE3AA2DD9213AFB5754A1BD7DC48F83A45D161556B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.511{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-78F1-6442-3D06-00000000DC02}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.511{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.511{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.511{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.511{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.511{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-78F1-6442-3D06-00000000DC02}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000026936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.511{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-78F1-6442-3D06-00000000DC02}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000026935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.512{AF4EC832-78F1-6442-3D06-00000000DC02}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.234{AF4EC832-78F1-6442-3C06-00000000DC02}50084360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.010{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-78F1-6442-3C06-00000000DC02}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.010{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.010{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.010{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.010{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.010{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-78F1-6442-3C06-00000000DC02}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000026927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.010{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-78F1-6442-3C06-00000000DC02}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000026926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.011{AF4EC832-78F1-6442-3C06-00000000DC02}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.253{AF4EC832-78F2-6442-3E06-00000000DC02}68326524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.065{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-78F2-6442-3E06-00000000DC02}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.065{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.065{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.065{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.065{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.065{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-78F2-6442-3E06-00000000DC02}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000026946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.065{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-78F2-6442-3E06-00000000DC02}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000026945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.066{AF4EC832-78F2-6442-3E06-00000000DC02}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:19.372{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-045MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:19.254{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:19.017{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF94C0A549BFE33C09E4F8EC27573218,SHA256=A0993C104FD6BC977A20AE2693486F7508980985AC142E6FBB73DE9C16A7576B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.837{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-78F3-6442-4006-00000000DC02}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.834{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.834{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.834{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.834{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.834{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-78F3-6442-4006-00000000DC02}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000026965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.833{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-78F3-6442-4006-00000000DC02}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000026964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.833{AF4EC832-78F3-6442-4006-00000000DC02}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.336{AF4EC832-78F3-6442-3F06-00000000DC02}44326452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.155{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-78F3-6442-3F06-00000000DC02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.155{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.155{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.155{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.155{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.155{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-78F3-6442-3F06-00000000DC02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000026956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.155{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-78F3-6442-3F06-00000000DC02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000026955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.157{AF4EC832-78F3-6442-3F06-00000000DC02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.099{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECFB33DFE2834765FA40AA7BFC6598B0,SHA256=660DF734AC238780792A3099867509584F926BEBD1A73582CDF977C65BB5E3D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:18.542{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50405-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000021985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:20.374{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-046MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:20.138{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18944BBC65B50238E59E38D4DB660B4,SHA256=1B3309555CC887E8FA532C96620ACBD6A7E2216E423F29F6EE7B7469DE71E3E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.502{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-78F4-6442-4106-00000000DC02}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.502{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.502{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.502{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.502{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-78F4-6442-4106-00000000DC02}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000026976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.502{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.502{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-78F4-6442-4106-00000000DC02}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000026974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.503{AF4EC832-78F4-6442-4106-00000000DC02}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.117{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97BBA74A234021FB7D46FD04BD16CB60,SHA256=D747346678E6FCA85BAC24B10553D4AFE48E19FCB32894043706E7A95575C3BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.042{AF4EC832-78F3-6442-4006-00000000DC02}70842360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:21.174{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F123227C688E3F78CC93EE604354F791,SHA256=D54313F18DEE6E1658045F070DFE53FA660AF3FA34D61BA383FAEF8401BE90C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.398{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65366-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:21.562{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EA061D4592458C5E7FD68479F18B572,SHA256=EC2293039374519A8AB5916C24A8410E2F06CF003286E426BF42C54B3066D8D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:21.161{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2048146407A2B14509FB459A831FE4E,SHA256=DE55BF764BA032B5C574BD92A2B0BB9A8069BE14DB6C06B9DE0257339BA93B05,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:20.494{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50406-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000021988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:22.225{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71559AAFE58BB97B214E27691E4B7056,SHA256=2EA7FB64A5326953272BE185FEA3ED3C7370E5A229906782800EA585E68AF5D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:22.191{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA33440BAFCFF3A73EFF39BC2307834,SHA256=E0D486C6E2063D953320AD6F0C8FB724D7B6B509229EC2AE8DD370E37A7FE935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:23.278{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76DF537F1BF46B2180E3F500D0F01C5E,SHA256=B86F29B7A57D5D6EFCC3A6F83CF2A4403789AF0241A5C47A75852B689E75AE06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:23.310{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D193956052E4F2CA9C2D468967E24117,SHA256=A4A9FF5CDD683D116A3EDA9689D7009F322BAA2A0D266EE7C72C8FC00E57F2B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:24.296{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53B26E393F252C0C91C3D88123648AD,SHA256=B9B6E822CCF293B1708C8920038E975F3D88F4CF16AFFF76C99E5642362FE385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:24.328{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF4CB9222ACD696927E85EF83C59A34,SHA256=444296ED3D160971ED2986C40A7ECC39C4D957AF423B4C27328FE078E7106859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:25.448{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68B4CB5E3B3FBB421048FA24412DA8F,SHA256=46C6426F629F4BD68DAB179DE54DD68A84C983A88604598C9E46918DF6161A9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:25.315{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FBB36D3C0C9C81F48A901F5CA2C2938,SHA256=6C578CEDA8E16B280A71B16259BD9E4EB8A906AE9C9CF7677DB7CB5188C00025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:26.502{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89023F20E2571CAF9A192FBD626E93C9,SHA256=1D28A6950D99CCDEF710B7A1A0ABCC456792F2EC7363CF6EC26F1D9F12875050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:26.335{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14196A9D8A1C4AC05D008C174A4921A4,SHA256=E05374E749EFCCE555815FDE0237EC9A7EE73917699994FB08BB19AC6669951B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:24.239{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65367-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:27.536{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD2C55C6B9E123F995DF192C176C89BD,SHA256=4246324BE6DF695B52B633F49664A179A8816803D15493B2B5E92470CAC6B5FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:27.990{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8BF936ED99BD429DD2D4830579657A62,SHA256=F6434EEB91099E53B52832C28DA86B9BA16D2D1C09E2739F454E431F78931025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:27.355{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D74C580B7A9F9A09D6096DF453FEF74,SHA256=DFE23ECEC6516BCDAE34B734229D72CB40E0BDA4B8CFB6073A538ECAD0B37C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:27.304{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:28.391{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FBF7730EB4874045C19F8D9250D140,SHA256=055E331312B6E774CE4218BAE79838BBBB4D05C8ADF9F6211FE3B8466E3EBDA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:25.414{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65368-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000026993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:28.557{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE861984BFBF28BA91ECF9675B64C43,SHA256=5C588421EDB054EF1622E2C821C5CA3B3EBAA3599FE22C5EED4295247D09099D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:26.493{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50407-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000021997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:29.409{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD7C48B158A5F188F6532301C5CF2AE8,SHA256=5D4CC999ABBE28D7248BD30ACE5650FFC7712EAB0BFE7B0D9A3FBCFD36EA5C13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:29.640{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=551BC8AA5A1B94C85EE5E1523664E6F7,SHA256=A51F84FF7FB9284E9733FC591EF5A29C170E9F8D267095DB2A634EBAE0910E92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:30.760{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DACACF571F79C414950EE703957CDE17,SHA256=A9F5C6768AE463B5E9B64812B09983C13783D95F2208948F02E5864F4048D037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:30.445{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E03A1DC262F843CE9E442CA4136C6E,SHA256=F0CAA4FA88325F9F425DCC913D2B7ACC7D4653A37511765E7D47305C4EEA7786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:30.195{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=86471DEE75EAB1E83D0D00CC9E3620BD,SHA256=7C31CBF5891B30726731EA046B61EDDD1A4F006130F39E59B31F7CE0846A17E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:31.845{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A989A5FFA29A53C43FFE20D73CF681,SHA256=39A213E92EA907C8DB61A291BE2043F1FACB527830F63A116D64AE34ABBD4E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:31.464{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A63A66628B505B3262C52AEFF791C4E8,SHA256=7FBB4F11FD53442292A90827B352498A581949EC772CE0524A3D6CFC2186F47C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:32.601{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186A78915D3A77004832625B038E4F25,SHA256=5BD3F5F7E456902C495B83A8C059FAD65F2E6B1536814C7C26F23F258D4AA8D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:29.251{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65369-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000027033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2100-00000000DC02}2448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2100-00000000DC02}2448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:33.619{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5DA3025C445F4B00981DBB7EA9636D2,SHA256=FFD6CE2C044B9E1927D9FEC8ADF85ACAAD7EB9B356C0976F162247A8619111FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:33.088{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D227DC8C2FBB61182DBF8170EFBD3AEF,SHA256=8EA295588DFB6578030E76BC30A75229F5C31A9548CF56CBBB89CA86F0DF5992,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:32.356{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50408-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:34.654{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CEF7CCA0D6D2FDFFDCBB72CA03F232,SHA256=54F55FA60B234629F13019DBFBA01BB2E148654E9FDB9DC072A1CEC817DF2AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:34.119{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6731B130B4188F28EA5B0F359627D80E,SHA256=29A712E469F034B16821B1118317BE28E55F870481AE25B80D402CF24A2B59AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:35.674{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E44D722D13A1548D6E98139EE2500D,SHA256=8AF6558067F748F644AB7D88C49CDA80B9150B5F3EB71996A8ED1AC05E0E1D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:35.137{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95C6000F9A2D1C5E4C662B367C7B14EE,SHA256=6BB7228BBE1FF1EC7128D420964985B14002D526C91F603655CC050469BF1B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:36.710{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA082064A5C23DA044AE3A3C0FC6D82,SHA256=80C5741497BC58B8BEF785993EF49AD6C24F5DDAAF7967BBD3C893A57F6BC12E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:36.156{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E11F72258A60981920335BE35EFA22,SHA256=89549C680C82E118EC9A195D61617F928F5CE1F1C7F4C072BE8425654F2987A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:37.778{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3DF259ECCFC419D85AE8B475AE1994,SHA256=BB0ED9D1E72D8C2DD1FCD0A88A73D8673C9C92D4E06D2C92316FAD85A639ADC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:34.362{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65370-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:37.227{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F12A2D85C716B0E0C5E10ABF088C9C68,SHA256=A9D796782F05C430AF429EAF5EBE74D69ED06843AED21CD28396B5D3B96BD965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:38.830{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB3EF0A1FFA6DE319E376F3BD7538C4,SHA256=9B0AB84985B0C881B7173F58AB2A83CD0B609CFCD0FC579C975BBF729B0733F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:38.261{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C325B59BB0688308FB54B405B4F2856A,SHA256=73D3CCEBB3745740DAB55CB8C34B8B9DC7123FDE256ABA4A937FECE4ABF9FA48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:39.865{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733EB766B16E5408E4DCDAA5E06BA13C,SHA256=265C4C7872FD776C98310ECEB291B06578E4C3D5D99EB3A2F6F42C9811F36ADA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:37.385{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50409-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:39.304{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA3E61502B4A31C4EBC4A3CFE29CD95,SHA256=558C7F3ED26030AF2060786DD472C70E5E37A7C435306E443D27735423E08693,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000022011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:52:40.750{223CB5FF-6DE2-6442-1500-00000000DD02}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d97447-0xc6983742) 23542300x800000000000000027043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:40.435{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A92E233F622260196D305197919981,SHA256=BD3272D929424E18C3D06CE7CEF671613A9C615B8E26C0C9282587E1A83433DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:41.004{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E2F59523ED7C9C652DF3E799D4FF28E,SHA256=5A2218587E401C0CEB09AFB1C6B1256AD4AEB20B68F30BF8C8D75ADC8EC210DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:41.454{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6A87C8709B07A1B4BFF6FC66F5B086,SHA256=0EFE90B5611BC83B9C55CA801896A38624C37ACBF8911F5E116814D39BDF276F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:42.038{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB1F5AF1C710AD40CA216517A9B9328,SHA256=89B93446B46DA4485720DB8499F4AD52CD71D5014CB68E20140C4794EBBE28D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:42.572{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6AB4C568A2A98D97C8F69180A9AF45,SHA256=416D725BA41F29D68E2F0EAB49648DB27699D13B970903A92A157375F96B004A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:40.362{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65371-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:43.598{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF41525B665E1AAA6104F6E5BF8F3D01,SHA256=ABBABA732D27C9C623B9079CDF6D2C50C8B12AE0E147BD5ADB8B8D3D452E9778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:43.157{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5A3D7AB7A69BED456EBB31CB66F17A8,SHA256=AC9263183282EF2B5A0B2183DE13C8E7F089DFA26699C94ACC7835BD99469C08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:44.647{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=297C1FECE6B4E0CCDFBEAE5B2753A64F,SHA256=7FEDFBB71B2F8D08335F4EB2D913DDF17AA7F0557CCA3CBAAA9D32B5593AA16E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:42.528{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50410-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:44.176{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=852DA0B0A0A08A3088AE786918146214,SHA256=CC61A0A440864165953FFBF0367E287707309B56B0DDFFED0C3255CA0B051B33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:45.197{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307221BDCD8BD8D43B8B137A2D3EBFF1,SHA256=1908A7FE98D00D57C1CFD91B5F1D2049A1EEF2C65B41F6692270828B3A6319BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:45.665{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFFB996161F57D1B90E871AC8BC4CF7D,SHA256=21DB0AD9028E422AE4BC12145070859B1EE07BB9491CF818AAF9C8E64D0418D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:46.701{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282B634BBFC33128859E822F7B84119D,SHA256=81CC24A947F00B9E959B14F389488F71A9B5F0A881A801AE5E33B9F9E3B3925F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.283{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1A00-00000000DD02}1928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1A00-00000000DD02}1928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.280{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.280{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.280{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.233{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF7C5F09CCEAD776657C303B41282B92,SHA256=57A8D4A46D8762D584CC477AEF9BDEDB7AAFB8A1FCEF6FE36E8A355848762019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:47.567{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F85308CC61A9B35542CC6034297E01,SHA256=2199C418F7A64D4C3185120ADBA4093B3FCFAB41403AB84B2AD4351A78C87B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:47.803{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1491C88E2F248D424B4E30B1A43F53D,SHA256=9C2E437BF22AB8AF23639CD51B2E3DD3592B5D00E8E00ED16D0C3AF5FB623705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:47.753{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A9E58DCD852FA186C18B29DEB8CEF958,SHA256=69652D1C6E3332447A84D7D341E02654B43F9ED3A76447BE0236A5DB75CDFCDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:48.803{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFED5D98AE42DAB6E0982A230A98F2E5,SHA256=CC7426DCBED6F5C4FC0B55B2795C0E9574FAD33886EAE0E255823A23FD858B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:48.687{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8450825A40AF842336FA05D21A439E37,SHA256=E423F9229C76FB71FD175BE3EC1A28C5BEBBC07EDDBDF464F7F95F7EEE7A12E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:49.840{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=842C80BB9536757FE7AF6DF17D215CF9,SHA256=C22BBE467300FA088482637D7C486F153E41C95768458C873497A64E59DF56B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:49.725{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E065438B4AAE3B3D79028E851C9F3DCC,SHA256=C79D193DD7D20745E82746F3E747CE490D2C594348ACE9640D8DA42825C2C073,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:46.290{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65372-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:50.930{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B09F838D95B09B4FC0333E8D59CA5BE,SHA256=C3B7C16287AFB6B2617DFD800895C6B6A6BF67C112B422DC42D864992B0A9A21,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:48.342{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50411-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:50.743{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45136BEE32B29FF335B388BA97A188F,SHA256=84923D6D5008F82C05F1B69D5DF78BA2D590D3F8E1DD7A8071E1E821E7CF5D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:51.777{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E660F69AD1FB04AD5E8E62DEF05E48,SHA256=C36F44F214ED33A26EB64A7EEBAB4296808BCA3D0A801B436FF99172AE3D8229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:52.796{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7212346FD584FE44BDF0B7A37F431F7B,SHA256=B9BE9F34CB1FD36F137E1850F18CDC61360CF0A63137921F79EE78EFBD291EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:52.007{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90CB1A6ED4E47ABBFB8D4DD276620097,SHA256=D9C4ACD7325482C0197651400504989D42D51568289EC965D82876AE7CF8385E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:53.817{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C2576B201992790EFA6149BF9E85C0A,SHA256=E88C3BC2CB0DFABFA362EDA1F726C38BF701126F8E9A9415E1A511FB9F49EDA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:53.108{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81718F665BB5E4ABC9F585698EE8AE62,SHA256=F43307099CAAE938A72A5F26F3B16581A1DA055AE57D685B1C07AF4EE0B80ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:54.938{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB8AC754D28A830C7033FA4083C73A4,SHA256=30C0B270F1AD6BF544CE59BE15F840015301A027757E08024A43B6A3EB4FC689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:54.209{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20DE7D1C551EB322368A05C8E622C377,SHA256=A1506C559F226F88FDC651DBBCA47DAC0E16B8E149B54A55F2BF5878E4ED75BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:55.956{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF63BAB43022EF4383ED7C39D8286A0,SHA256=9CAD24EC0809F904CBD6F0824536B1AD1586F34577386D90E43DC0A6D430CC75,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:52.269{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65373-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:55.277{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DA20D1191F2C9009D12C98387791BF,SHA256=1CFEE376F2071EA02B83C443F0A1D92AE3278C0273B9C2EE5047B2CEF1B57E88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:56.412{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0EBC994D005B07791514F33412A158E,SHA256=CAEB37739BFD09B8B54043C26944A815D7FFCB4E165B2EFEA6ABC47F9A1487EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.388{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7918-6442-EB02-00000000DD02}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.388{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.388{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.388{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.388{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.388{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7918-6442-EB02-00000000DD02}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.388{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7918-6442-EB02-00000000DD02}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.389{223CB5FF-7918-6442-EB02-00000000DD02}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000022061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:53.505{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50412-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:57.513{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B873342D1698DCA66EDB449C01AAD0E,SHA256=5B92FEC5B00E81BF119D89BF5D58DF544F087BB661962F9E1EF732688312A34D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7919-6442-ED02-00000000DD02}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7919-6442-ED02-00000000DD02}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7919-6442-ED02-00000000DD02}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-7919-6442-ED02-00000000DD02}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.444{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9B9999B10F395BEAB14EBEC4DDA3068,SHA256=ADB2B9F9137234EF1537D43885F2D9C9DC57FDEA13AD86195E033219DCCC176D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.209{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7919-6442-EC02-00000000DD02}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.208{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.208{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.207{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.207{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.207{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7919-6442-EC02-00000000DD02}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.207{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7919-6442-EC02-00000000DD02}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.206{223CB5FF-7919-6442-EC02-00000000DD02}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.009{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB714ABC9E49ECD078E7AA63A030C82,SHA256=311BA973FB55E8FBD6DAC6B33ED9F251EB88A72B923EFF3AAEE0B5549B62FB81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:58.665{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A578A4AF7D91BE46A40E18FAC25BBF2,SHA256=DF7D79D447042472E2F258CD6D58D052506379D72A58DC2C1948D7BCCD39D5B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.897{223CB5FF-791A-6442-EE02-00000000DD02}50686996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.681{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-791A-6442-EE02-00000000DD02}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.681{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.681{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.681{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.681{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.681{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-791A-6442-EE02-00000000DD02}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.681{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-791A-6442-EE02-00000000DD02}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.682{223CB5FF-791A-6442-EE02-00000000DD02}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.330{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=655E34DEA7D9F93C5725A825AD9DD360,SHA256=AA1EB5F62686526C9552CC83C595247472B611B27A63337E5F4E6BCA20954054,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.064{223CB5FF-7919-6442-ED02-00000000DD02}67046684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.048{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE8D243A2D899DBB33A324E1713CC2EF,SHA256=CFCD552AAA097080BEFA347E9919F9CFE9397FA1A4140B8096717C8B4D441989,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:56.473{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local65374-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:56.472{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local65374-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000027066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:59.697{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F792E3B9E61D0300C7B63B2C16B48B3B,SHA256=D840CA0FF8605716F9440606E73A746748A71FB46AB0BAF6535CF176841EC3EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.452{223CB5FF-791B-6442-EF02-00000000DD02}6952292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.266{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-791B-6442-EF02-00000000DD02}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.266{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.266{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.266{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.266{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.266{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-791B-6442-EF02-00000000DD02}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.266{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-791B-6442-EF02-00000000DD02}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.268{223CB5FF-791B-6442-EF02-00000000DD02}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.082{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A59AB0C4B01094A48629B1B21257CE4,SHA256=5E0B031933711FCF745C6B6A824E8C130EB7276102F160D499A4163A3516FDF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:59.366{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60BCF872CC16C81CF2973ADDE09AF05F,SHA256=6547B57F57CC1DB264B15B3FB390841CEA207744889D93D95CD58D05459218F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:00.802{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF1DD429FBC41217464D0466510E1FE,SHA256=3257BF03A31A664097D890FEC737F39A31580C363A5CD5BDFCA3A3CD938B14D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:57.331{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65375-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000022118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.921{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-791C-6442-F002-00000000DD02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.919{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.919{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.919{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.919{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.919{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-791C-6442-F002-00000000DD02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.918{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-791C-6442-F002-00000000DD02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.918{223CB5FF-791C-6442-F002-00000000DD02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.119{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF54A19357C7D3A694EB1419B3F7A46C,SHA256=687A8001FF709D66E5A832A40ED1EE7948279F7D92D175FE898F877430A24040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:01.945{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B199C169126F064E78104561487229,SHA256=6FF926347BAC59B7D0AB10AC20AC717A7419C4BD80E388C8E7CA62EF3058622A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.487{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-791D-6442-F102-00000000DD02}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.487{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.487{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.487{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.487{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.487{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-791D-6442-F102-00000000DD02}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.487{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-791D-6442-F102-00000000DD02}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.489{223CB5FF-791D-6442-F102-00000000DD02}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.171{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D39C638B831206737F773512555A715,SHA256=75E2B84D3C4A083F2D122C4541E0AA227197D7247AAF868B1ADC5DE738EB4BCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.156{223CB5FF-791C-6442-F002-00000000DD02}71327136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000022119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.519{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50413-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:02.207{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB63A2EB08509F306F282687224332EC,SHA256=1F61B33ED74FB6494490BE91E2E5F08572FAA657ECF0026936E6FC1870E32E45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:03.343{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C67DCFEFF15656A58CADBD7C7D80EF,SHA256=1B3D5BD65B0E00B62FB8ED08C3E723A1CC4F930C1F621BF98C22D24874639989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:03.047{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D9ADD967EAE3B1D06B191889867EA6,SHA256=FF129E597657C439A3353D52BA3204D5D991DFDC09C41A2E23129FA5D5815F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:04.377{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379A482BD70EF5CC96A3C44961B8D9CF,SHA256=660B0F79DB70703E9C8DBC343F75E27CB6FA92EB2D6D1729C6B0A3A75C7419E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:04.106{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18C50780381A4E55AF23AA01DF5C5CE,SHA256=CF6958E086666CFF59885A6DA1CE1F7D4B6EFFD7316B2981CC598B9F057A4708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:05.413{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ECE4B8A1197B50CAECBF2546A955EF7,SHA256=72A46713ACBB02D1272E404373A8541FC5598BE64586F9A962CA58794C66E385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:05.124{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C4BB090AC72D4F42E3CD8914DF9090,SHA256=2B656C319E65968934604453E22042A659616AB47C9704A449C7B1F881FB942C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:06.433{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21760F96969C55828B85DB588DF9A799,SHA256=E0EBAA6B0D6409CBE8C328E3938C281B5C6E6BBAC479A706FAC777924BD0ACCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:06.250{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30130A5BC12ABD02CC3642C0D92202F5,SHA256=9968DCE24B87169CE567A9F256D70B6CEEDE5EE3CE9580779A1842A27FE42BB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:07.870{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=91586DEC86502DD26218D27BFEDEC59C,SHA256=847FCFC4E2F6DCA1DC0994E72EEB7B0591FF27188D71ED58CC8D658582025ED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:07.570{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88FDBDF87B965D68309E06EDC369B6C5,SHA256=A98DCAC6BBA07D59017044CF27B199A39B507BFCF075A53C352016BFFEBE37BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:07.310{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B627084F587CE697072E8AD12ABBDC3,SHA256=DF7C4D60B4EB0C18252CBA3FE6FAD661B6F89FD6271EB63C1C63E1F98FE414FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:04.400{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50414-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000027076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:03.341{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65376-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:08.640{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6C5562B80CD10897B1A3ED3C9EAF7E,SHA256=9080933B14AEFE0AADB066B0DDAC35A1AB05EE85925CD4A8C89B27C913DD3B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:08.328{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4116251155BA58C9FA1EAB3CAAA758EA,SHA256=9E9E5F61843FE950735DEF4D80CD4012C87877D6C478FC41B4B54D3C64182E9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:09.741{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7058245BDD7C7B93C096021C884994,SHA256=AA6B6443FA618F3344D0AF2ACFD124B028F3973BF0F77CF39EA9470C006F2136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:09.429{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300CB9D2A33D86D28C49AF325F31FBCE,SHA256=3E3BAF3738A43CF52D2896E11700534B9D348BE5A97F879AA248236EBF17642A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000022148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000022147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002c0db5) 13241300x800000000000000022146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d9743f-0x75757fae) 13241300x800000000000000022145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d97447-0xd739e7ae) 13241300x800000000000000022144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d97450-0x38fe4fae) 13241300x800000000000000022143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000022142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002c0db5) 13241300x800000000000000022141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d9743f-0x75757fae) 13241300x800000000000000022140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d97447-0xd739e7ae) 13241300x800000000000000022139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d97450-0x38fe4fae) 23542300x800000000000000022150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:10.858{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=712C9B45C41BD54763B6E724DB0E3D49,SHA256=D829F23D667372EACC1729DE86CF68550EE04D9E6F5C3F2D4C67C84A3D57B36D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:10.531{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081CAA922019CE4B009A379B18EEDB73,SHA256=FE15B866A8BB3F94BCFDEA0FE4062C29A549564D5A4EA0BE663B61BDA95C24C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:11.958{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4ECACC5901CDFA8AF9DBAED452A5FE6,SHA256=9F4E3FEC6B664BFEC417DC4A5E954FB9FEDD1911466252FB4480B134D511E836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:11.685{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-056MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:11.583{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB748BF99ABD84FE434A82D6369758FB,SHA256=9FBB016C16A8DA9A234DDBAB85B2A5042A807866E3366712CEDE5482FA4C5AE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:12.685{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-057MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:12.615{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431B8EC086740025562A875A95DABFC3,SHA256=881D1BDC0EDB8372FA51139F822A6AA6E35B03ED4274568D95694D86781381DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:13.635{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D6E8B7617BC0538757574902A720A9D,SHA256=CE3539ADDAA61FC7E92F03C8740974F3DD5904A3341109C933C29DA738283D91,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:10.344{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50415-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:13.042{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098A6A08C7630573E5DF2197139EE581,SHA256=BB2CA2152D583562A28BE76B26BC028010FFBA5131EEC4F4CD1C59744EBDCBB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:09.216{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65377-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:14.759{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18254A732448216540CD5FFA579FAB09,SHA256=FA67DFF0AB60F257EDFDABF99F5D38200EA27B6EF96A8D417378BEF770772450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:14.160{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2089B08279380191D51281A7BAF7EA6,SHA256=0BFA188B056D44EF03AF40AC5F971E60479240031DD24BE371BAB98645BF51CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.860{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC75684083CFD617CBE15F56BF3F021B,SHA256=B8ECBD8CCDA5E6291A4214AA9F5E4E90C823AE175655C4D648B8DCC0282AFFBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:15.176{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBE7DC3F4F3B7280253592885C24E6EB,SHA256=C219A8761953F0C5FB3D3C9F2F2700E8C3739E670FDC99DFB719FC8DC4559FDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.186{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-792B-6442-4206-00000000DC02}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.186{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.186{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.186{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.186{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.186{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-792B-6442-4206-00000000DC02}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.186{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-792B-6442-4206-00000000DC02}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.187{AF4EC832-792B-6442-4206-00000000DC02}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:16.936{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CC55FF6CCCEA617C652C2AA6442AEE,SHA256=BDB586020BA5281CB3786A64954A655CB5F4DAD1E010F2AFFA26BC3406F59EDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:16.277{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6D0543D25745FA4A378D0C4049F82FF,SHA256=8226442D8075ADC98C8FD52A6C35BF019843D5E44B38B988C60678755DC5ACA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:16.203{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98873840D5338415431A6A57B4E731EB,SHA256=3EA923C00FCDB6409B18735C14BEB1397E1407C27FD8CFBAA825634A56861504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.989{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57F56777CC582756B78E02F2A822A2E,SHA256=82D04967DB9CAE1134255420FBA61A52490B4769391A0D5393489BD1C406B07A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:17.346{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F718B0CEE6033200027E9E9D7288D6A2,SHA256=554396028AD2DB78960785246C6A318C95C4FF860B9D82268AE6F932F1E260B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.873{AF4EC832-792D-6442-4406-00000000DC02}54164860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.688{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-792D-6442-4406-00000000DC02}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.688{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.688{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.688{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.688{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.688{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-792D-6442-4406-00000000DC02}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.688{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-792D-6442-4406-00000000DC02}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.689{AF4EC832-792D-6442-4406-00000000DC02}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.161{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6653B74C897999066681A5A13E09FDC5,SHA256=71F5A22C59B0F9106C989FED5F912BB7AD70872122E46895B375B2580BE713AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.019{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-792D-6442-4306-00000000DC02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.019{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.019{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.019{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.019{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.019{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-792D-6442-4306-00000000DC02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.019{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-792D-6442-4306-00000000DC02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.020{AF4EC832-792D-6442-4306-00000000DC02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:18.429{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB94FB64E8869E2E615E72BBFF610EB,SHA256=59D577FD5193DA068FFA22F3AD3DE4A02564D2B2F240A460784BB70CE1A64B3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.546{AF4EC832-792E-6442-4506-00000000DC02}8643340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.362{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-792E-6442-4506-00000000DC02}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.362{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.362{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.362{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.362{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.362{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-792E-6442-4506-00000000DC02}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.362{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-792E-6442-4506-00000000DC02}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.363{AF4EC832-792E-6442-4506-00000000DC02}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000022158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:15.530{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50416-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:19.512{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A8A5BF6AFBD609E2B0DB09EB01153B0,SHA256=8CBAD75674CC855F3732D72B7F85082DE8158457E87DC73782D73FC9EF39133D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.843{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-792F-6442-4706-00000000DC02}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.840{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.840{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.840{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.840{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.840{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-792F-6442-4706-00000000DC02}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.839{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-792F-6442-4706-00000000DC02}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.839{AF4EC832-792F-6442-4706-00000000DC02}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.348{AF4EC832-792F-6442-4606-00000000DC02}21525640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.163{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-792F-6442-4606-00000000DC02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.163{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.163{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.163{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.163{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.163{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-792F-6442-4606-00000000DC02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.163{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-792F-6442-4606-00000000DC02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.164{AF4EC832-792F-6442-4606-00000000DC02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.090{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0C48EC517B53B2CF5345929BF5CF24,SHA256=A3F5FCBC39627B4EA4940C4B3CD1B6D937A5646A31F002841EBA3709F891114E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.252{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65378-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:19.281{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:20.885{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-046MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:20.630{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE819A54FE851AFDE533CCE8FA3B3F90,SHA256=48013A11244EA5F342399AB31906CA50D086A5722587080943609EBCE1EEBC7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.508{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7930-6442-4806-00000000DC02}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.508{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.508{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.508{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.508{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.508{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7930-6442-4806-00000000DC02}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.508{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7930-6442-4806-00000000DC02}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.509{AF4EC832-7930-6442-4806-00000000DC02}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.191{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A38B0986F08BDB7CABBC9AC675918797,SHA256=EF208E124514E87F53873E67B1B15A635E8939181F5C7740A4884D9C80CF5937,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.991{AF4EC832-792F-6442-4706-00000000DC02}60804076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:21.885{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-047MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:21.752{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D2B3144B6734337758976EC3DC203E,SHA256=BC5466930C2FB5CB013D77BF983D15E16F3EFA01F5CFAAB0AD60CED791A8CC79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:21.246{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9EECD6DA5B9D9D88B68B94948CE422F,SHA256=B58446B05B6A416CD07D7C238DB76E3D7548480927FF9D13F6E98AF17F4793C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:18.552{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50417-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000022167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:22.884{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B117332255CFC9E660425E2851DF153C,SHA256=32F337C43E56C585D23AE21D7E01DD334FCD9E252855E94651E8753F58A7D7E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:22.367{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC61B4C1C03F9A5C2730D8805118C57,SHA256=175C59F45B147F3710F68358003690512D341589A62B9357025AAF1C3130B562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:23.969{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B52E9DAB21A2B96FDD39C8DC10A574E8,SHA256=F57C7E0C80F09B1D7B54EE2BD9EAF1EFA5BE65AC245B945BE8355ACCDAD242F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:23.395{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCED582F6726EA3337AED9E7C2F6B9CB,SHA256=374A2BBC5A816B72E1C3769590E4B09FAEF969DA66A442BAFC7481A587D09722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:24.496{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B91B78B6D06A81F5F0CA96D8330AA0,SHA256=B5A18028F7BBCA1D50A0137AC75832FFEC77ED773996348ED005EAEBC26D0CD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:21.520{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50418-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000027159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.273{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65379-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:25.582{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C76641C28083B998873C48EF0E115FC9,SHA256=55802209EBA77C493BF98FD223205A560AF1245B2515CD93BE1C3505E369F114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:25.070{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5750F62B427325D367D277F319B8FD,SHA256=ED5C0409832B6705FE17FEA5B2CFB5CC5021737CCCA1D5E60160529252F3050A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:26.715{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7C85D234669EBB6911115B18DB21C3,SHA256=94F3CE58D4425E32CE06D6D386D008126DF0186F2DB8052648F4EE734ADA6C7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:26.154{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16765D622820C4D5C60D0C6C69E8275,SHA256=F6B85842E036A64548B51D53E99C4F6281EED924CA73A92C71699A17923841CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:27.785{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=738DBB6FD85B891FF71B3D9D7769D101,SHA256=E1575068058C78DEA803AC36EC28808F1FD2D30963AE9FF2CF325DE7D927429A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:27.519{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FF15CE74429E8B4176186B86EB64C0C3,SHA256=9133DD7E42456DA430DE92139DEEBFCAE9548DD398D33659BAF88A8856AA6C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:27.288{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92FB74BDBD6492D8355DE2966B29FD09,SHA256=D3492E74010EEECB51A5D2DDFB9EA3330C6B865FAA364D6E99C908CFC7FB60E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:27.331{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:28.817{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079012D37368B552D352412AC0AA08D4,SHA256=83E5077E1EE800C5FE14C84C9F2B56B13830587B6A80D4290D3036664FD52C12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:28.390{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666550E8E56AF8074210A01A04299E86,SHA256=3954FD3F4B147CCD4E3A5146E2F5F598EC3059B491699B3C3A3D7C9D0E25256F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:29.491{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD090BF3CA5D7F880677ED0FD3E9B23,SHA256=496B42F7D829768B976275162EF690647B5D2B653D31E017D641021F2EB177CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:29.833{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7276772A4D3BAF4DC91DF0CBE7519578,SHA256=C57D652128BE3EF05707923CB81659265C6414E79F14DBA6A3CE2A8F3A1880F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:25.447{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65380-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000022175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:27.392{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50419-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:30.576{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A785A673B5AE7DCCD876D054F29BF1,SHA256=A714C638DEA014C9A1C17A150222B4B48639DA828A9C25274EAAFB5490FC6DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:30.852{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0239D855FF2EEACE536A742B18318FA1,SHA256=9C13B7A21062A62A25B96CD500625514F502112F2076959913EAA02365808797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:30.202{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F431996CFE52AA040CA1E1C813E161CD,SHA256=48B385A9177AA8EA6C83A185F670AAFAC51DBF057DC82BAD563FC1B1D3F1F13B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:31.663{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=645E4E289E97D7324E6F2F8F1E3789A3,SHA256=02B1F95FF7C9B729D206C0F6C2BADA1EC1CE3C658EAAE576451273CC84D04C71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:31.953{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7CF90AC6B9D99D841CFC3F341A6871,SHA256=4AD791EC90004D0A239D0074FD18B0D30AF276DDC60FE9D9A989B131BE496511,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:26.182{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65381-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:32.780{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F67FB3FD7A411618BE2172AA897E7B,SHA256=646A9FA78640BB84CCD2D0E78FA89F583EBCEAA392374329F85DF777D5E36862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:33.881{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03677044A0FD0AC2C3E1B7DAA9270D1E,SHA256=448EDE68ED794F3C4B2D3081D5717A25EC6795266E6942CBB25E6B9967812C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:33.021{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA29514E473C058C466B664B5DD4C1F,SHA256=DAFE24D5CD6CBB87576BF22575ABE3EFDFD8E211B916C7F385A17EAE6379663B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:34.997{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7ACFD987924C9D1EC066760315DC51,SHA256=F98EB321E356351F74B5817510B919ED4A5CB8AE63A62964D51FDCCDB5B9CD1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:34.037{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4543F8041DCFF3074DF245AD83D229E5,SHA256=5240BCD056BD6FEDE5AE03AA01EA7858D23066F4DD0039C27F753FC0E904439F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:33.368{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50420-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000027175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:31.309{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65382-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:35.056{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D53AB8B394CB9C9FFC48E76A38569D,SHA256=290AF76F5B71ABC44CF23E768EE25A5B66781D5675BD7FFA795A5FD19E5BCC0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:36.114{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD71E47621FE6196BD215C778EBE07F,SHA256=AEB49DB4820650026792A3FF727BF2250E139C868F3EECE2606D38F3CF1264FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:36.640{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=061DFA031CFB20C4D631FDD1AB9A2B7E,SHA256=4E1C8CF61272F18DFC953EFDE16CE74EE7933021238F8EE35C6157168026B56C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:36.208{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB881D33B20D0132F0D1A54C954612EF,SHA256=EB7CE0372FD4028ED472E1094CAEA6956D78B9F77209A01910CA590E0297E8F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:37.148{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE4429328DF505A80464B6327F3B0C3,SHA256=88CD9FD5C561DE8EF298191AC68DBB425D48E682288128C527BE81AE677F16BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:37.225{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769C1449DEB42C862B481C5B24D448CB,SHA256=FF5392EB002AE67220700078111AB56F63E9230949186A9830D0CF387D89C437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:38.200{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E0CA5BD35E0C95E13AD8D02D3DC294,SHA256=1980EC437F8CB76EBEA9A464B97BB8A566B2FC982FFB6788B2EA00D4B575952F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:38.359{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE923DEDDAC2F62B4936EBCFCD76CCA,SHA256=45FC3976B3C8FBB344972871C977EDC002B11B0F6D02610AFDFFF40D30A00C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:39.268{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978D19241AE4E8B2FE75F742AE778249,SHA256=2AFFECD7541E870A8C86FABA1C9F7B882783EB9416F08CEFFA2EDE6AE097949B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:39.413{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F840632F96009FADB89269C108F3F941,SHA256=CB2F648DAACA33C209C1BE08EBCFBEFDFFAC9A232C6B927B813F84B945D29319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:40.351{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD970280E540C359C007065989DC8C07,SHA256=3BA78DB3559C7FF894D1B8B95D06F628DD803C52D8663433840E88CB52EEA39A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:40.563{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3791E993658AADE4A1241DFFB009D5A,SHA256=E22E732B10B4578C5890009003AC09DFD4A99439A50CF53A5E3B23C11BCE3756,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:36.314{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65383-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:41.670{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\6chvkpgv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=6327D69923DA8EF02968B51286F46737,SHA256=870B68F2D288807E588070BC34BB21DF4F84761F529A9330220B3DA0DCEB6DC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:38.455{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50421-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:41.370{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F7DD7B06F66343D8E79C44E22310D1,SHA256=28A64FF0BB1A2878930A030F1F115D08C488A534839290FD88B66316FB987985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:41.700{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46CF28EE1F07FD6B7A1FB50952ED0879,SHA256=770785511B396E0FA0BEC8DB9C564D9DCC3D02B506E2A59839421E435312D80F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:42.454{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB937C33676452F2C08A5E62F1343E2,SHA256=390B98C141067961B07B748042C23B9950521A244CF79DCFB61738C8124110B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:42.748{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA712438447C18451B3709011BE7E52F,SHA256=385E4DFA12D8922553A38A4CD59F7DD7E72A2385324A6F377070F1F964042932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:43.537{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F764E4E4460C8F4CF0AF16456793E771,SHA256=13A532FAD14246731F219E1CF044DDFE47C353A2DCF5AE9A750215B00E81BF06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:43.790{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C4D009CE6991F84F4ED5526AE5EA71,SHA256=FB35992686577075051810376940CB8CD9FF8C42A4B89D5E67609BC1434D99D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:44.606{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7A09AA6CC18CC4FA275427FFDBF44D,SHA256=8EA4061CCA8EDE7B0C33C455164962C8E7EA181E472B2C2B03AC522EB6B335F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:44.803{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D62CF1DF43712DBDA8C756994F14B5F,SHA256=60ECCC03A7E33C91C46D90B467315D8B15D00E9EF92C41F53F8FA925949FFE71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:45.676{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369594E84F6FBB988C6025D2BF437683,SHA256=F80CED72DB75F86869B31C937A54E55A6AC58C7E4BD4EA921C913489947F8490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:45.869{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E11C2C53416BEF3C1062097F1B7A35,SHA256=D3F7EC446E1694BF2AE3D32062ABD675C152205F887B7E05C12B1F0D3E2F0821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:46.894{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E3682B9F4FE1ACFBF5128904ECAB34,SHA256=7E5A68B30A23201B16FD0DC9F36A143D4D2BD25C4F3A58ABF5876A34BB7D650B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:46.695{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3862073732D099A70965B89579E258,SHA256=6D9E7038089EB7553E7E375575A606C1FECC33C2794D1C0E07EC5AD7FFB6E156,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:42.247{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65384-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:47.938{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48DC8A3764D7C79927EEB4F42EEF5D54,SHA256=FD8A233BFFFF7E3A481AA23AD86A0532B88C9318FBBA2C3F586A7A933B384BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:47.780{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B93ED925ECF683A8E009942504898B65,SHA256=8271D2DD1DB3EB219294EFDBE83A165266FBDF6514C91D9564E829DDE9DACF44,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:44.393{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50422-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:47.494{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CFA1C22783F25EFF97679DA01864443E,SHA256=0D707753381709FC19A6D7F635092811A97361B57C843E727F38285D772AE331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:48.997{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559697A6DE31F772C3C3BAD6C35403C5,SHA256=378A33B7539412FF8A75767EF9372C18E21CB58EE9DC9780B6FBEF62C49F3512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:48.762{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B18C03FFB831A7F9ECE20C491BA29F5,SHA256=729BDE8B230B92581DBD090714F7114771C425AC11B4C03C2E6B3DC5C5A68D7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:49.862{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF8F1895827AB0831B50F913AD7B6BB9,SHA256=3432F8168EC91A7AEDC5AE7CEC81DC1E5DDF0530C9CC1A7562A8265151895772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:50.983{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD268ED52C6FA72AEF920BF698C21C01,SHA256=994E8D0777D7B11FB947DB29C826D3550FB425EFDB19738AC30F13F59C996E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:50.056{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A5248432FF98E0FD546D4EBCD9A09E,SHA256=B094D15395CD87C379893C4B583C8BF3CC805C81AAEB645EE07875DBB743B1AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:48.185{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65385-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:51.074{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D98177EE2A4E3882A593C63C53DC299,SHA256=A709EC7CA0EFB2FCF98339C1DB3A967D6C6E03F108E8B5F6E2B13613B294CC1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:49.448{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50423-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:52.100{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AB12B350EDC19E687C9A9C074F7A44,SHA256=57D574E853F0E7D656A35EFC2865877B3DAA53E6CF508CD62FA19143487E7DDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:52.127{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F951E22F553FE9D3E7E0898C3FA3F9FF,SHA256=626F18A5883CB78B6242EA4EE6A7199D635579F45FD529067918A969A756A240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:53.217{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C0BE70677C01B9F70F732EF40EED0F,SHA256=B6E08258F66E1449BCD9D6A4E275669EBB054F1FFA83584049B7F7A9096089FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:53.243{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4209A3E05FD13CEBEF2A8123E756282D,SHA256=4318E6CEE12123CDA173395B79FD57290D5517E0C1AC218F8D82328DE4390E02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:54.268{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B269A091BFB2481000C36A16D8DBE4,SHA256=A6CBE753DD51E16128F76437AB03BA50A16B8BC54EE4589E62A501EB0A0354D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:54.361{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FCBA0127C68EC8E53F596D6474E9EFF,SHA256=79670FA5693A08C272B54AE4C04D21987975B1C44BAFFBE7DA927C38DBB90482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:55.350{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF31B3EB8673B853CB88FA14345D098,SHA256=EE6F6593CBA3DB3A4D608026DB979A64BD5F1AAFBF01D8211D9E5BDD94EFAA72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:55.446{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=154D3D0990201C04300D6D11F4DB90FB,SHA256=878ACE907B5C03492BEC4FFD67C1761825CE7B138BC72A4C7632A72BD9CEDCA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:54.505{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50424-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000022214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:56.388{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7954-6442-F202-00000000DD02}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:56.388{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:56.388{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:56.388{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:56.386{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:56.386{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7954-6442-F202-00000000DD02}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000022208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:56.386{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8056616C09544F4C51CFB0A3D32EBEEE,SHA256=9FB4C4FAF771A4D1576E8D32139FF4EA6FB456C8C7B60DF7207E6CCC61F6309E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:56.386{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7954-6442-F202-00000000DD02}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:56.387{223CB5FF-7954-6442-F202-00000000DD02}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:56.478{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CA76079C86957110A7992608FF87CC,SHA256=BE66EE2E11C70FE8ED27A4F80B180455EB8A078FE50CFB3039B3A66C2C69BD98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.875{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7955-6442-F402-00000000DD02}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.874{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.874{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.874{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.874{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.873{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7955-6442-F402-00000000DD02}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.873{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7955-6442-F402-00000000DD02}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.873{223CB5FF-7955-6442-F402-00000000DD02}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.675{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=363F932EFF56EE89DBD1DAD4C5707041,SHA256=D1F199F37804B0D838B2D8D435E2DCBBF742EBC6936CB2617B24690218005801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.408{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4E1DD279E813412501BDFEF51BAF6F,SHA256=98DB5F02BBAF7A6085FFD7E82091936FB497D1B3F64C8153529876F11215A1C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.408{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA15123F572160CE98E1341E086CAF0D,SHA256=4BC453BD9F665BD770E1058F7CB1F20BBFD4F5701E8F416796FDE80FFD5FE77E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:57.629{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76320F658837EEA88486FCEA6D271B2D,SHA256=B00BC4098C3E655BBF4CD593AA0FD4F47DE416A45E01586B84A6CB4B1856DA2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.375{223CB5FF-7955-6442-F302-00000000DD02}61606208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.208{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7955-6442-F302-00000000DD02}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.208{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.208{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.208{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.208{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.208{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7955-6442-F302-00000000DD02}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.208{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7955-6442-F302-00000000DD02}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.209{223CB5FF-7955-6442-F302-00000000DD02}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000027201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:53.358{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65386-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000022245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:58.856{223CB5FF-7956-6442-F502-00000000DD02}67564804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:58.694{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7956-6442-F502-00000000DD02}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:58.691{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:58.691{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:58.691{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:58.691{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7956-6442-F502-00000000DD02}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:58.691{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:58.691{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7956-6442-F502-00000000DD02}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:58.692{223CB5FF-7956-6442-F502-00000000DD02}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:58.540{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBDD98A98726760944BC95E7D887282,SHA256=AECF78ADAC06B648588C927A716A897560C88FBD364BABD491AE9FA7D1A3EB13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:58.677{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8049FB5EC75A7A8D3B97E16B7712BF96,SHA256=5AA81226E1079ABEAD93BA530E7C0A95AC915DCE9A7A99421572E6723013830A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:59.610{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97FE04AD19E82292012C5E7FB5828D95,SHA256=C6E75F050D5741DB94635E89F7A34D7FE8FC8A3950206AABBCD6E88D2E777B50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:59.557{223CB5FF-7957-6442-F602-00000000DD02}65206376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:59.743{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6748DDC23924B5B517795DED37982D81,SHA256=E74E5D5BAC88D7683E2133FD92D1F2415C0B1DE3211CD1CC2DC0B88CFB6DA658,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:59.376{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7957-6442-F602-00000000DD02}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:59.374{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:59.374{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:59.374{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:59.374{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:59.373{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7957-6442-F602-00000000DD02}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:59.373{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7957-6442-F602-00000000DD02}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:59.373{223CB5FF-7957-6442-F602-00000000DD02}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:59.459{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E742318729507D0C1C7833C55278AC54,SHA256=8F8F2ECD19AF50E93089E88DDCB6DD9AED12EFDB2D82DD921F27CE3C4E24A1A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:00.776{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05848106AE5FD7036546EFADD48ED6F1,SHA256=93E19C56344A5D3D18A21322A9DC8A848216F4D3A7004362D6E5C0083A40FA62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:00.927{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7958-6442-F702-00000000DD02}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:00.927{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:00.927{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:00.927{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:00.927{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:00.927{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7958-6442-F702-00000000DD02}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:00.927{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7958-6442-F702-00000000DD02}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:00.927{223CB5FF-7958-6442-F702-00000000DD02}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:00.611{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F074690ACB9EAE236D67F6DDB54B71,SHA256=0EE7BF4EA9252C2A2A4E47B3564C821416D786125FDC900DA45DF3022D3357C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:56.488{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local65387-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:56.487{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local65387-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000022274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:01.727{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D501FEEB746D66350D6E1ECFE7325E,SHA256=1DFF20958ECAF6E5B06819A70721B313D85CC8FDA0BBC48ADB692629588B95FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:01.926{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1D2560A18BC3436E2575CCD52AF485,SHA256=711B5CB5583499A7E08E7070CBCF3F3DFA8A5062DD93A1C5504F9663A8BFCC36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:01.612{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7959-6442-F802-00000000DD02}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:01.612{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:01.612{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:01.612{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:01.612{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:01.612{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7959-6442-F802-00000000DD02}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:01.612{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7959-6442-F802-00000000DD02}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:01.612{223CB5FF-7959-6442-F802-00000000DD02}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:01.143{223CB5FF-7958-6442-F702-00000000DD02}65723900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000022276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:00.514{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50425-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:02.813{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02233F5B097B131849747F72346ED875,SHA256=AD15ACEAD145B6A2D7D9F7D5BC59C6EF28C8C8ABC36073DBB26AEB361FAC818D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:02.974{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B95AD32D1C9E04769AB534B005851F,SHA256=E18CF3218EB88E6EE4573ECA70965CB4C87BA6A8106B4D390315ACC01B94DB6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:03.900{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFACD36B1C62C544B3649728D4F2AB31,SHA256=11761FE460D5AB0B9EFE955AEF5551415158B0B178C68B5202A173F5A4177AEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:59.228{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65388-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:04.981{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4828E4A57DBA3F8D7262F0B1F0B05C8,SHA256=E29D00A7F4B34929875F6924AE419FAE140A8C600367249A9BF14E90E6CDA47C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:04.041{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD9494BF22CB36A0AB271C8C3EBB67E,SHA256=764564F7C3C762A4182DA51C52BE437EA3201B4E0BB636C6A07268BA3C7268A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:05.156{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96DE7B0AB545C5324B1EBF9ED0F11B5,SHA256=1B1239D0B4E109E8E9AFF55F9A49C3DEAED2F09904D245561A26FDE978C74953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:06.049{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=271E0935754D2E436947BE26A05291E7,SHA256=F3CF833F5EE92E9BB1B703B12A61A7B4A1C3F752403B2FBD3133F4FB1D7B0047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:06.274{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C73DFD5E9D0B7D3366D35C16EA48B1,SHA256=D3D67115354E21B76E2F8FE211F9A3D02A975034A7ECB2288ED72841A479AFC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:07.883{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9DAC248F1CA6A5905037559F90AC586E,SHA256=DFEFD07EB9548273059FC065AC5D6423CABA2F91B8D6EEC8ECA32290D526E1B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:07.150{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E740BB03B23FF7B1EBE666753B5DDF,SHA256=A6D85DBB9715C78A4D61DA946FA5000F9F613619CE04CDB8F002DC5FB0084DB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:04.236{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65389-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:07.339{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E051F20FECD45C692575F7601B921089,SHA256=90FA95E4B17ACA92F7E772D711FA92717B0D5566CB4DF75D7F1B45DA66672943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:08.236{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F0749E62ECB9261F2A7D630D25C87A9,SHA256=317E9F7AC3045CD07BD41DA56B84415B682A7B6C9C481C16D79120A79F6535C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:08.373{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19CF1842DB1578884C1F7237C55BF93B,SHA256=E9F54E52226525776AF2753DB99A144D30393FA125DD62043D0BF4E10308FD62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:09.352{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73359382AF5DAD263F6D4DA2728DBCE2,SHA256=A9F81EAC97002A05F8BD7598E835C6D8171AED760735B2B805DB430815DE3849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:09.438{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11EC76668716848AF0584CF141260CC,SHA256=E37912C4AD6E13D8E0F6AF089663DA80FD09CAAB7CA431396F2B5FC4440D32CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:06.422{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50426-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:10.422{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0BD7699DF1283E274E27726A6B31A6,SHA256=7B77D6C890CC9A1C8B53780CA24F2FA8E03E764DCD7C020F9BAFCC2DE891F035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:10.496{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D78F84DF37163463496D6203605290CF,SHA256=21BC0312DBB90A74E429D37E9B9993E533C9E7124F7CB3C921C8BE00F0B0D550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:11.524{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6378F727A1C0F705F84E5570FA281D,SHA256=F273111CFB3AD96272723A8B8D79ECD11C9D2BE255D4096F7F2830F3F00CCFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:11.622{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1A73C28F12D43BCCCD793A5870A5A7,SHA256=539404A6856DD4CD4F84C959D6DDBD86C54295FE7C8865B37C013E0007C8D680,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:12.625{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54560542A77B20591D14B327EB2EBAB2,SHA256=6F0F9FC0E3A67C9817780D2C1CB1FA58550580D09974C2A45C670FDC0FAF79E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:12.670{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0004D876FF5FA6022534C0E3F305CE67,SHA256=96298CCE1E12622B62BBAA8B269CD261FE20EAB2FBE2A586E6EC6F64D06BA065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:13.741{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=276B07EC477E3B3A457EBDC2A2E013A2,SHA256=1F0979BB475B9605363DA3B736826B0C7BBDFBF4FD5A660DA1BCC7EAC5251B79,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:10.248{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65390-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:13.805{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF61D959244C941BF0791C3E4A1A7126,SHA256=A1D1B71B5BDA933F63CB19092AF9B6E5EEF3F06831FA977EB1D5C1EB5FDEC835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:13.223{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-057MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:14.842{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE1367FCFE4E08CF5178956E11B329B7,SHA256=5F05A7401D54D58466098214449CB1F39180C7C868F72E8EF7C612C32D1EEACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:14.836{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2C874F92703B654040079E77295AEE,SHA256=659050A91FEB5A0C9E8EC3E53175C090F60765F1FED92527C2605E90BE05575F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:14.237{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-058MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:15.892{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42CD6AE23364ED4594090578CA08B3D,SHA256=8A516CAD145CD87078C3C9154BC4B5C7081DAB4E70E6FD4598022CC12C09F2E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:15.893{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87CAAF2793AA8E730EFD59D81237798,SHA256=B828C062C15D9D03AE5213D522CBE7FF39179A8566E17B69F1442FD8F31D524E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:12.427{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50427-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000027234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:15.204{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7967-6442-4906-00000000DC02}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:15.204{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:15.204{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:15.204{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:15.204{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:15.204{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7967-6442-4906-00000000DC02}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:15.204{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7967-6442-4906-00000000DC02}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:15.205{AF4EC832-7967-6442-4906-00000000DC02}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:16.974{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EFC452D09EE1FF8A7D135ED3D080AEF,SHA256=B0A619C2C0179ADCED21B758D501F13DE324D111D6CE39BD55AD0F61D5117BD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:16.968{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E34709DEBBAF1D0E39366D396F48B96,SHA256=12ACEDB34F959C398119CEFB9A9DD3A095EC4857DFE2B98A0344EF302B750D5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:16.235{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAEF41ED618A3D6E819FF297D106EF5C,SHA256=EA4E8C1D7FCFCC68F3289E7256ECDBC0D778801DBB76417181663E8C78C331A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.734{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5F855C8E19896344FDAE53D142F8C75F,SHA256=BA3A700D6623D60D44C5B8B328792B58D8B40D7A13D5739B830DD17731B9609D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.718{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7969-6442-4B06-00000000DC02}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.718{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.718{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.718{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.718{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.718{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7969-6442-4B06-00000000DC02}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.718{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7969-6442-4B06-00000000DC02}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.719{AF4EC832-7969-6442-4B06-00000000DC02}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.234{AF4EC832-7969-6442-4A06-00000000DC02}62085760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.034{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7969-6442-4A06-00000000DC02}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.034{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.034{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.034{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.034{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.034{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7969-6442-4A06-00000000DC02}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.034{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7969-6442-4A06-00000000DC02}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.035{AF4EC832-7969-6442-4A06-00000000DC02}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:18.091{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E065B4CDF2A46546429E58B97CF140FB,SHA256=00858C10C4381AA09F243555B06DB31440C132525DEFA3A848F6AEA49E2C1A3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:18.450{AF4EC832-796A-6442-4C06-00000000DC02}29845292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:18.219{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-796A-6442-4C06-00000000DC02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:18.219{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:18.219{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:18.219{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:18.219{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:18.219{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-796A-6442-4C06-00000000DC02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:18.219{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-796A-6442-4C06-00000000DC02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:18.220{AF4EC832-796A-6442-4C06-00000000DC02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:18.019{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8E65D7C1D3A6FBB1A54DA7233AE732,SHA256=5EF72028688A6CBAF34A68009BEA28689C401127EDA91346058DAB9ED151CB79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:19.310{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:19.210{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=719A53426EC5C9596352E5DE23ACEA1B,SHA256=535CA76FC2CD49D4A382A2BFD2B9C73F0FDC8D8776191A32304E93AAECD16130,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:16.275{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65391-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000027283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.870{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-796B-6442-4E06-00000000DC02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.867{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.867{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.867{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.865{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.865{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-796B-6442-4E06-00000000DC02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.865{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-796B-6442-4E06-00000000DC02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.866{AF4EC832-796B-6442-4E06-00000000DC02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.374{AF4EC832-796B-6442-4D06-00000000DC02}62766168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.192{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-796B-6442-4D06-00000000DC02}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.192{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.192{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.192{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.192{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.192{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-796B-6442-4D06-00000000DC02}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.192{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-796B-6442-4D06-00000000DC02}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.193{AF4EC832-796B-6442-4D06-00000000DC02}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.070{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C166E4AD9DEBDF7FE9177CF7BC17D09,SHA256=0E0738770FE5CC8BD9EC7E13FE1002E7DE95A10F959F5128F7DB2EBB055CBECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:20.256{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D7D8AF9703BA16DC4CC89248396B467,SHA256=81940316294CCB3DE7B5FE8CE876802994CFC24DF082A7B364BC7DB54948B21B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:20.492{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-796C-6442-4F06-00000000DC02}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:20.492{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:20.492{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:20.492{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:20.492{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-796C-6442-4F06-00000000DC02}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:20.492{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:20.492{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-796C-6442-4F06-00000000DC02}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:20.494{AF4EC832-796C-6442-4F06-00000000DC02}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:20.118{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847FBFAD2B7ACA067262FC60202C5FAC,SHA256=B1202D7640AF0DE6192450DBF5BF5D53A823852D8CC015C10501F3263829E478,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:20.069{AF4EC832-796B-6442-4E06-00000000DC02}5045684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:21.389{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B07AFBAB5E96D82FE6C0E169ACC9E9F,SHA256=B0182DB95F616757757F4DFFF61409EAB8791D00741574F425994DBDCBAB62BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:21.134{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F804CB9D1C3980CE85131F4BA815E968,SHA256=0FFA7045437460F2F88008A44C33BF31881E4296F204251896BB8FE2F8650FEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:18.575{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50429-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000022297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:18.375{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50428-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:22.409{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-047MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:22.408{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41AB6ECCCF78C1374600D0C5A207D022,SHA256=DB8D44C53A255685703C9DF61705A436D1D2C16F38308AB950F17C1C15F025FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:22.250{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC4CDC0F504A4905DAF929950E73B03,SHA256=CC1C4A3DA41B8E15A83A7B5D2FF2C2E4A57E42D2FA96DEC8463BCB8EBA6F1808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:23.638{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51FB4A8D8717E1D862E77E7105BEE851,SHA256=4156F8602170803D957A47D867B1C45DAFC121F6ECA6886EF308284079C97963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:23.366{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88CD0610EF7D8FAF142443EC2F852162,SHA256=AA9D944CCF169F686FA01E22DF94D87892D405E2B5CA11401B2DB3C5FB902CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:23.408{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-048MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:24.769{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A61ED4FB9780A73D8B315035E6E0677,SHA256=74669FCEEE0A7D61CF9C522B58AFA4679B8CEB4637B4CD5A1C583E572D87F9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:24.417{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D967796457746954EC44B44DA64DF0,SHA256=E39FB1DFD5E5B567B9CCBA77E73E7591E7675E974C6286647585E66007D36F08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:25.905{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E215031D09FDDAA40683A07A04F084,SHA256=510990955B4174CEB3E19AA963F4358CD368A53BBF848B60F4BD77B165A7861D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:25.532{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A369963B151E3AF97A531551678E908,SHA256=CBF57A3E650B40942A00E502A600192D4BF4E3492C4BD5CF59459C5ED847CF1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:21.374{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65392-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:26.565{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=971BA52F11E7C737CC48E680250234A7,SHA256=24B074036EB67637B61E34085C542639D79F46125A0F8B86B3676F759E4DCA64,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:24.340{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50430-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000027301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:26.290{AF4EC832-6B63-6442-0D00-00000000DC02}8964028C:\Windows\system32\svchost.exe{AF4EC832-7353-6442-7A05-00000000DC02}4404C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:27.631{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5BABE9B646E74267E6F52C1233A2A5,SHA256=E7BC80D3B887CD6510B7C25610AA9549BCBDE703C49497E5EB852C8B7EAB50A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:27.867{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BF4125ADB1F76EAAF5D5402956097A5F,SHA256=518A21FC539E790320025DA7CB11461F84B3BE4C862A7ACE08E0D994830B614C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:27.052{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9893EBD4ECA1D75A1EBC6CEBC18D55D,SHA256=56623BED1326C517299B4A8C23784857C9E1AA5A739571784C40F880DC7D8913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:27.347{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:28.764{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC5C60025100E215A00F3C409B8F73B6,SHA256=896FCFDADB3A89658D402EF0A84D3B81D65F9E0C9281832C7638562C0F540BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:28.185{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=123CD6C0FE6827AEC02D7CA316875AF1,SHA256=A9B72737DE0D86B7B627FFD3491EC465001C83CAE7C9C5167F7745CBA459D377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:29.319{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CB767B89836D8528C0E4BC4103DA7E,SHA256=6E49E3855C7E93F20F35C7046B000905B3AA4D289A9249DC1C2D7E832D8329CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.771{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2034538232CF45BE6426F6AA8CBBEC05,SHA256=B9072DD4B31AAA184B34D7F66F99E6B1BDEB7C5E06DEAA64B3BDD36FD728273D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000027318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000027317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000027316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\AddressTypeDWORD (0x00000000) 13241300x800000000000000027315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\LeaseTerminatesTimeDWORD (0x64428785) 13241300x800000000000000027314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\T2DWORD (0x644285c3) 13241300x800000000000000027313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\T1DWORD (0x6442807d) 13241300x800000000000000027312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\LeaseObtainedTimeDWORD (0x64427975) 13241300x800000000000000027311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\LeaseDWORD (0x00000e10) 13241300x800000000000000027310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\DhcpServer10.0.1.1 13241300x800000000000000027309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\DhcpSubnetMask255.255.255.0 13241300x800000000000000027308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\DhcpIPAddress10.0.1.14 13241300x800000000000000027307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\DhcpInterfaceOptionsBinary Data 354300x800000000000000027306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:25.471{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65393-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000022311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:30.450{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C0494D1BFE6AB0550148EC587E0816B,SHA256=1DDF8252D67879FEA7119561952953A840A976E2D9BEACCCA2BB6CAA5D1FC9AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:30.832{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34FAD388C5670A9CCF90B1553A574851,SHA256=0010C107E0CA800A866E176468E1D3AF10D0668D8141CC01A28ABD311B4AEF0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:30.217{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5348F8D1CBD0E5CE9BD7A925D756B46B,SHA256=1902DCCC22C10D886CA42997B71C7FECAE5BEC61F8C0AE399E2C850D01C03318,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:30.201{AF4EC832-6B60-6442-0B00-00000000DC02}628756C:\Windows\system32\lsass.exe{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:30.201{AF4EC832-6B60-6442-0B00-00000000DC02}628756C:\Windows\system32\lsass.exe{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:30.132{AF4EC832-6B63-6442-1600-00000000DC02}13362148C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:30.132{AF4EC832-6B63-6442-1600-00000000DC02}13362148C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:31.592{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F76C5BFD6ECAAEB200F37607D00BC7,SHA256=20AF5BA2B2EE1FA2AFCA6D2B4E70E11AD0139DD40A247EF40B3C4CB77BC93688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:31.873{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CECE4FDA0746B7A52A0DD8E23EF55A98,SHA256=266C74B08FFF6F88D603C1AD5B92C22F656DE1732AAEA9BDFC06464BB2B64BE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:29.452{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50431-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000027341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:27.313{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-east-2.compute.internal67bootps 354300x800000000000000027340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:27.171{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65394-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x800000000000000027339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000027338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000027337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000027336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\FlagsDWORD (0x00000002) 13241300x800000000000000027335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\TtlDWORD (0x000004b0) 13241300x800000000000000027334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\SentPriUpdateToIpBinary Data 13241300x800000000000000027333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\SentUpdateToIpBinary Data 13241300x800000000000000027332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\DnsServersBinary Data 13241300x800000000000000027331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\HostAddrsBinary Data 13241300x800000000000000027330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\PrimaryDomainNameattackrange.local 13241300x800000000000000027329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\AdapterDomainName(Empty) 13241300x800000000000000027328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\Hostnamewin-dc-ctus-attack-range-616 10341000x800000000000000027327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:31.216{AF4EC832-6B60-6442-0B00-00000000DC02}628756C:\Windows\system32\lsass.exe{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97952|C:\Windows\system32\kerberos.DLL+79c68|C:\Windows\system32\kerberos.DLL+1458f|C:\Windows\system32\lsasrv.dll+2fb61|C:\Windows\system32\lsasrv.dll+2da46|C:\Windows\system32\lsasrv.dll+32e35|C:\Windows\system32\lsasrv.dll+30cbb|C:\Windows\system32\lsasrv.dll+2fb61|C:\Windows\system32\lsasrv.dll+17bcd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e 13241300x800000000000000027326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.216{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\RegisteredSinceBootDWORD (0x00000001) 23542300x800000000000000022314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:32.709{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13498A08063443A91F4F005A37BD2474,SHA256=FDFA45758D7CC8F44D0775EAA7691DA74492DE7E9676C4F01B587937CDD0A46B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:32.915{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A674CB1843FDDE64473543FD6368F70E,SHA256=518DDAF3EFB715C62AB13A3EB488C6BACE29A5D3E117CA3C4F11D5278753CAD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:32.566{AF4EC832-6B60-6442-0B00-00000000DC02}628756C:\Windows\system32\lsass.exe{AF4EC832-6B5D-6442-0100-00000000DC02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97952|C:\Windows\system32\kerberos.DLL+79c68|C:\Windows\system32\kerberos.DLL+1458f|C:\Windows\system32\lsasrv.dll+2fb61|C:\Windows\system32\lsasrv.dll+2da46|C:\Windows\system32\lsasrv.dll+332d9|C:\Windows\system32\lsasrv.dll+30c27|C:\Windows\system32\lsasrv.dll+2fb61|C:\Windows\system32\lsasrv.dll+17bcd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000027352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:32.289{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17BC4E9CFF3CA5EEC37DD9279197D44E,SHA256=09098EFD87878BF07C4F805ED0BBC7A6E6364DD8EBBC0AB8AF41F3B16F20F5F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.355{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local64928- 354300x800000000000000027350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.348{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51635-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.348{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51635-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.347{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local56486- 354300x800000000000000027347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.346{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51634-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domain 354300x800000000000000027346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.345{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51634-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domain 354300x800000000000000027345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.344{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65487- 354300x800000000000000027344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.343{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65487-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domain 354300x800000000000000027343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.343{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53137- 23542300x800000000000000022315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:33.808{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BCA9A08F7EE8667F4675F17AE444136,SHA256=41F3A7A9AB768E161FDA0E8B708979137B52415C3ACA774797FBB43671A839D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:33.947{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=814B1348460CA26F398F482A508A8422,SHA256=5747AD6EB78884B2D36FDCC208B972AA0F1A05E22BEC0ED4C9DC6B2EC37E2827,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.359{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local58233- 354300x800000000000000027360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.358{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51483-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domain 354300x800000000000000027359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.358{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51483- 354300x800000000000000027358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.358{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:f860:867e:9ac:ffff-51483-truea00:10e:0:0:0:0:0:0win-dc-ctus-attack-range-616.attackrange.local53domain 354300x800000000000000027357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.356{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local49425- 354300x800000000000000027356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.356{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local58862- 354300x800000000000000027355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.356{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local58862-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domain 23542300x800000000000000022316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:34.940{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E681EA46AEB3B94CAD8833113A21F40,SHA256=34E8ABE5481A60075E1C336D79940874A3D8F4E514FB2058EAD178F0114B718F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000027364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:30.687{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51636-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local445microsoft-ds 354300x800000000000000027363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:30.687{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51636-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local445microsoft-ds 23542300x800000000000000027396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:35.233{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F8544AA9EB1841C539595F70DF05D9,SHA256=43C8CED00444406AA4AF217B95826A43CDAFB2CB99BAE548AC4A51754C17E9CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:34.542{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50432-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:36.055{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A46C68787BF31C0A2F5807D7C36FDE,SHA256=BB5EDD27BD8F23E626D70B456BCB576D76D2588865D1AAEEC78C374CB86F7F28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:36.367{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C8AED1ACB91079131FFC3933C4E002,SHA256=83B74E2F491E271A72BCAB4EA71A2F096C245F61B0004B88FA7387C3D9A9C4E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:32.171{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51637-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:37.088{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9A9EA14AA3A1ECA768C11178453D20,SHA256=0BC4DF9FBDC61A4ECE0B76F8C3F7DB4AF6EC9475E85F7EC2BAD96C16A2BE774C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:37.433{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65FA29E8A217F944596A9E6AC539FA0,SHA256=CE5089658DF044D9E612C26C86FBE7C30A012281CD6D973D7A30E69A6E44A439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:38.107{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8503B512BB500978999B11FE39CCFA,SHA256=9DCF9630864099EFFF7DFD1F6DF10B1F7A9A9A114E2A969C9FF0C19630F35C96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:38.518{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A1F6B0BA65CEBE23C3F78EE8CA23507,SHA256=2BB0D415758283164DEFAE3CC5EBBE503BF50B29AE1496200A86ECED875F6AF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:39.269{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4AA554952A97070E157E59F1C516488,SHA256=20FE472C57CC2BAC07C3F0531E372F0AF510B18D1B8AED2165A01E7129320CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:39.548{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89AE2B08C9103B3C18BF14472DED5321,SHA256=F952F2EC096B78BC9C08D16672AB28BADDB17F2ABAC00ABD885140FD2E317874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:40.369{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD72BF23096B6C70C8E34C774EA76DC,SHA256=5B7DA49460557D1CCB8FC18A738DD607B782AFE309C6D4587C6C216B41878AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:40.590{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD3A2B1C2A8016D1671562C5C9CE62A,SHA256=A1515D354C3F94875D6391636B79944F88A216B0A239F542C0049515FC6313D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:41.487{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A445A5EE304D539A68BF7B3EA53FFC,SHA256=110E44349635A699E965B29393ABC48B2B6DFD318321BE3A0EC6CD8224798A29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:41.632{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F546B3A3644DEBDF19495A2C0DC41F1C,SHA256=26C0044D5710A5BCFA08D15CF7A8D41A5BE4CD3801E5631F2B17881897D7C385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:42.586{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDEED0E71EEF1D29E18E91531C2F6CE,SHA256=57DDC243BE1114DA8F12FBFA314ED351F24497945CA0E12EAD73D99F87DEA46C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:40.475{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50433-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:42.665{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE946EB83C6F2E02097AF5D6C3A737B,SHA256=5EE536F23A8E4014B47E1C57ECEAAE2B791E30C00648E45BAC112EE4C3A392CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:38.186{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51638-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:43.606{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21334DABAD211FCD2E25AE1A1F1235A,SHA256=D8B8A510A2E92922CBCD567D244DA708AFA03BDBEA5DBC24875BF7E55AB90852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:43.747{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10AD7EA69DAAD9D62C906A74DEBC6E7D,SHA256=829620ABDBFD2EB5C01B06C06FD02F6769B97B5B8857D93561E7AA81E048876E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:44.815{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5A35E7300317B8104068528154BAD2,SHA256=467BD280708547A80A7622F617CA2EC98F239F829378E4815AA6B4EDF97DC9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:44.636{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A8946BBBDBC28298BF7E9C475D82463,SHA256=ABDBAC9276CA4BA3E3B0E0656A73CCC28F887BDF3569166D7C6058D7B04A88D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:44.389{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C04BB33C4BDB624CDA01FE98D7390A63,SHA256=23BBD7C56D64DB98A4C8AFC626C681B1DEAA0C108CB8F7C0A664EA3922E5FAB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:45.988{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F185674CB914F600D68B7937DF534064,SHA256=48EE082953DE899F4619C022F358B37C5C7670C8B0CC9461C1DDDAFCC92DFF3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:45.667{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBAC5395142B6E428C407A31B9C41EBC,SHA256=EE4DD712E94AFD364FC18D8A041ECABE063C275F95A47088FECE18D260FA1BFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:46.804{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C79546214F68CE1BA9140A7D89EA72,SHA256=CF99DF8FAB64C3CA37E2D6EC9D25427301BB0A367F09C17A0830E20800F845E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:46.687{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\6chvkpgv.default-release\datareporting\aborted-session-pingMD5=7E1008ABA98FB9D1A0A5C52CFB173AB1,SHA256=807C7C471CD54AC21B6D2B3A82213820484FE3FF1FA0171C338DA92F5E2EE4D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:47.818{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3CA33802BD8F87BA98415246533FE94,SHA256=5A3886D4E14D48C6F9E0B20537CEF3E226B70376F43E7F87C5160DDBB1A66D22,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:44.168{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51639-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:47.015{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=26DEE1A2A4FC544C8002AC4F9C7B4AC6,SHA256=6200EE26FE9043EE0C19934C7FBA39213687719E5C827ED9A654C5C5CB350275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:47.015{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8877176848EBD2CB0E7A43123B0E263B,SHA256=BDB3E23B2146C9889D7776604199CBCE76BA216C5666E24448F3E1CCAAE33C68,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:46.453{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50434-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:48.864{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC9E4E3556AAF3858E8434484AE66C5,SHA256=B388E896735FAA09D0B11F9207ADCED6F516453009E7CA6268C48C5C3CB43A69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:48.164{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E3223D11BD72025A4C1891E38709DE3,SHA256=959AB15FE8E31718F1701860EF781263B96ACB4D6A3D65158D727679A0C56C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:49.882{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8889452CE645AFE069BB54B0F744B7FA,SHA256=1DA2342E495270F237B1E7BE3F0BFC8350A308EC82478BDE4BB308D9536D725E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:49.245{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=278F8DDCC22BC2FE2DD860844AEF2192,SHA256=EB79D0DC96BAF99B7FF3DEEA12765268D538D01004CAAE4ABF344A018DE893F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:50.287{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D73AE8AED39EB8C614501D41DD2E6C2,SHA256=D11FC787A75ADE24F5378F0B935D684C741FE8619E74DFF03471D01CF52B2413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:51.413{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2DD25A796D1ADC90F4E4B14CB9040E,SHA256=95CC9AB1D156FE2B9C5218528B304F2A3137E09A0E4FBB9B34D59B6992508608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:51.000{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB571F5390F2A592975D660269DC824C,SHA256=9239245E4D18102E7D69F9A34DD45DFCC8E9B6651A75811D7146542A1C8A52D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:52.115{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BCF6BD29A3F44C3F2210C2D5F88E617,SHA256=2C8CFE5ED9FFBE9A112672336020C525698AA7AE39929C9B0E273EAEDAB4A1DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:52.429{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE3F7472FBC01652421E53E108AF3CE,SHA256=18E088EFFAE5CDB5381176C95D2FF709F973C60B9D95DFC72CA608AEB20AD7EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:51.485{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50435-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:53.246{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C389E22C8FA9C91312A7D338FEBDEEB1,SHA256=E65D224C5A77AA1CFDDFC013172061B83D6D8BA43297027FCD21E55575AEEB35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:53.486{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B0F94B3AF62C30E463463A7AE8C5511,SHA256=2CAB466F653C1C84EF5F258426E44E82ECF7ADD935F8378C3B832FE99FFDB3A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:54.279{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007B413CE44280C4F41FF158344D9D28,SHA256=CBA8CF92FBC13BBA5113D988AA2887AB7BB5B5375153359C4CD06E47E504EB25,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:50.185{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51640-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:54.544{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FF743C652EFBB7B8E8C9625919EE23A,SHA256=954922E84CB1CCEE6F6738050ECC83E8A94B0145CDAC8B95D8E73F6ADB4CDDAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:55.330{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF2EC1DF82ECCBA3B0C7D9AEEB92E24,SHA256=DB7CC5CB9062CF30E62C72A661C304160DEDA2BB9DAFD1885821A51D303C33BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:55.585{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13D74737659403647D2AD1FCEAAA06B,SHA256=5EE5ED8C09B17018AB9EC22E6DDA794922A251B48CDF438A4F7DD33383763B33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:56.627{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5861950096AD2139660E237ADAFCEF5C,SHA256=8035EDB6E5D313C57E0FE6DC3168CEBDE1CBA06F199F28941DE14CAE1C1195A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:56.480{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC1EC59B40195798E43435F74F7411A,SHA256=544D179D9A519A372096A55BA85A6B49117D736B83CB26D50745EA59DBBC1CF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:56.381{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7990-6442-F902-00000000DD02}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:56.381{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:56.381{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:56.381{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:56.381{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:56.381{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7990-6442-F902-00000000DD02}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:56.381{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7990-6442-F902-00000000DD02}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:56.380{223CB5FF-7990-6442-F902-00000000DD02}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.804{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7991-6442-FB02-00000000DD02}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.804{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.804{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.804{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.804{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.804{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7991-6442-FB02-00000000DD02}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.804{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7991-6442-FB02-00000000DD02}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.805{223CB5FF-7991-6442-FB02-00000000DD02}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.604{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43BA4520CE4B7336C3E15B752D12A4F6,SHA256=B4FC33A1813C160CE50471B8F940C185DE8AFC22831AFD3C78D9DFE32313F510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.588{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E195D03277DA5C15EA65CE09997397A3,SHA256=4943A0C8600759CA5A6553AB3A66F1D1081ACCB03C44A66BE7DD0DA70D3E9EA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:57.684{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A69E96D2E2FB9DA74269756B3D10E4,SHA256=03A5D6DC2426EC6658E01BFCB75AA3A00B193799FC60F157E42EB68365973240,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.229{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7991-6442-FA02-00000000DD02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.229{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.229{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.229{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.229{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.229{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7991-6442-FA02-00000000DD02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.229{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7991-6442-FA02-00000000DD02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.229{223CB5FF-7991-6442-FA02-00000000DD02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.856{223CB5FF-7992-6442-FC02-00000000DD02}25323316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.719{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1DC249E4BC25617D8CC1CF19A865509,SHA256=22A8883EF5B3ED8849682684C8972E8ACA7D3DA452844AA2772FC1EF4D54AFD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.688{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7992-6442-FC02-00000000DD02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.688{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.688{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.688{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.688{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.688{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7992-6442-FC02-00000000DD02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.688{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7992-6442-FC02-00000000DD02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.688{223CB5FF-7992-6442-FC02-00000000DD02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:58.710{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33FC8C9D8C7CBA292AA03E0DCFA0517,SHA256=C918B0E22DBBB3996F44DCE75CA68FB42720F171BB8F40C34BA37B573DCE9DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.072{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C144A77234ADC6D34810A11F6B4343FC,SHA256=A3856ABA1AA650C430F425933895066D52261526ABD60A82429F63A6E04C5582,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.004{223CB5FF-7991-6442-FB02-00000000DD02}56167096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:59.803{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41888E63D41F65C610DCD13C0926C9BB,SHA256=48681F9D183194C3D563A6D53FA17DD0406834652E36A635B70B829117495084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:59.759{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E03C1E347CBE03938AFA2B8F88598D,SHA256=FCEFC279B3435F0F8C218189046C836B910C612B787E70FDA9D1933D48F67C9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:59.503{223CB5FF-7993-6442-FD02-00000000DD02}58324648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:59.356{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7993-6442-FD02-00000000DD02}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:59.356{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:59.356{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:59.356{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:59.356{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:59.356{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7993-6442-FD02-00000000DD02}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:59.356{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7993-6442-FD02-00000000DD02}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:59.357{223CB5FF-7993-6442-FD02-00000000DD02}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000027426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:56.204{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51641-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:59.410{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CCA1CEF5F8A091D03CEA0DA13CDB630,SHA256=9F15740EA61D2A604A9A7285771A8DDE697F1DB53823E460A28FDC7E096FCC9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:00.856{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7994-6442-FE02-00000000DD02}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:00.856{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:00.856{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:00.856{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:00.856{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:00.856{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7994-6442-FE02-00000000DD02}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:00.856{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7994-6442-FE02-00000000DD02}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:00.856{223CB5FF-7994-6442-FE02-00000000DD02}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:00.836{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079EEACF87EEE1E8996355787CDC7B9D,SHA256=33EF9B35882128317F9F6E30ED13875054BD1D09ECA04F42F29A4019E037BB66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:00.794{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E497629F6D4F396FBD794992EA638A,SHA256=EBC1CCE0C39F3EDD5FE7116D2A58AE0542E2B4714362F815AC9FC4365CC2DFC9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000022391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:55:00.755{223CB5FF-6DE2-6442-1500-00000000DD02}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d97448-0x1a0b41b4) 354300x800000000000000022390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.407{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50436-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000027429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:56.504{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51642-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:56.504{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51642-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000022410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:01.957{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6017743536BFBCCAA2F0373421140E9B,SHA256=E4D7C97BBEC193047CE1AF065DB2495816973DE25DD4C0D0776710522DCA047D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:01.824{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0450475B4817D270C66A0FBF5FE3397E,SHA256=4A67CFCAB38E892BEBF3D701C99081EABC5D9ED2D5215D9FA6BD32E4734DAC46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:01.538{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7995-6442-FF02-00000000DD02}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:01.536{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:01.536{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:01.536{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:01.536{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:01.536{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7995-6442-FF02-00000000DD02}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:01.535{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7995-6442-FF02-00000000DD02}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:01.535{223CB5FF-7995-6442-FF02-00000000DD02}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:01.039{223CB5FF-7994-6442-FE02-00000000DD02}68046492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:02.857{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD075548C82B5895DE825C795F981B6,SHA256=C4A3DC4C6867BDD02D9648D1852D1B76E5DAC94CBFFD2A18CE0DE1FB2D988356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:03.959{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2AF26FC05FBB93E8699BE1C5602795B,SHA256=FDB6CC8514C11D47C96A19801FB91DF610448180AE594F84B6574659E8570A6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:03.074{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C0A0EABC4B3ECC9C92B995EC01B0FB,SHA256=6F4F55667B38AA9F7428D537F7C352831AE1D7CEFE6B7CCF7053DA558D56B1FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:04.205{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEBACB57BCB7B13880AB663B46E6847E,SHA256=93D1800159E76F9E5A65C7E7E29D3FCE0C7759043DE84CAA47358E6550446F58,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:01.260{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51643-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:05.338{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790D1F5E51BC280EEC1320CE894E6C90,SHA256=8BE9EE6BDCAA4E49B7E97E2A6C9B547B4634D8C681BF51464348943C386CE7A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:05.086{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07CF4D0ACF538DB3ABF61471830D08BD,SHA256=BFA2D5FF71789507D484A8F4F706FB29159F2D4EC75B13D9218927D0062F07BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:06.437{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=511E115E3037EFFCDFF3E140F5E2A9EA,SHA256=CDC10B353FE1D2F1CC9A9D2017C4CBF76CE8FD0CEE3FB7FA7B1914A345548B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:06.146{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6DE2CCC7EBA03AE8DF9B099B4DA8C22,SHA256=4F5A452E3F431C6DA86754CB5125CFA735B51BB1518189930DD1A141D4E4CB86,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:03.360{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50437-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:07.888{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8B21D4E69169A69235BCC54CAAC388F5,SHA256=903F008D4A4B34ECC0BB93762C713D22C9DA02E87C69AFE77C24431E50FE9796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:07.572{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=470F3D2992377E7636314D0AAB1E497E,SHA256=5A210462333DE9D26714DB10EF962583EA696FF03673B443A2E7FA5A94422F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:07.166{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB7676CEB77EA7F962E3844662F19DD1,SHA256=A3F18F1BD0382CB8CBE00F1FF75AE32397DE4D25D3CAC53C96EB630D454CB1B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:08.719{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09D3BF98AED46661C0274D3E9E0AFF06,SHA256=786F8D7FF0088717F65C02396144CA9810A2C24DD2733095798A95011D0BA5CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:08.295{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4121B5C569A92BBCB1F59DB5BE48DD63,SHA256=F51504E364EAFEA47282D0B3BDAD6EBA94324792AC1C4555E3013AAD71A64AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:09.771{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E5C36E03E6F095A889839556B722F7D,SHA256=7367FD1D4667608C9F9147DC72714808A23C0E8C729EEB6AD938DD4A850B96DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:09.354{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E0353BD86E4B24634A3F86DAA3CC74,SHA256=A800FAC9C664231834DDCF9862904C33B784630C1A04D81C5C64C4AE24B1F55E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:10.802{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2582EA4D117A9714279D537CA0A6D6B1,SHA256=7CFBACF12C324865589796694A3FCB5EC8B1B45125C15EC543E36F8D1E28356A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:10.374{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7809FD0E9F3FAFE0519BAD0AF8E1397,SHA256=B1F8AE6506142472013252D1410D2584EDC4EADBEBA37067A537853FD26CC4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:11.935{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCFE2E6EE5422151735BEBD5BA2F2CF,SHA256=CD1A46192BA70C00636647DD198BF5DEA26A4558F4EA337B4E68F1557B045805,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:11.978{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:11.978{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:11.428{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=299EAC08229408820CFF7CA811B0EA63,SHA256=B911D547EF7C891C46E8AC5406FD0960AACF6FC248CF8A62597A33171F5D3550,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:09.404{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50438-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000027441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:07.291{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51644-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:12.446{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10FC420060BF49B4E7DEC9ABA0A5781D,SHA256=068E5C28439169C2712B7E2B711519D479D0164A805FCA5F4EA83534A5DDD2E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:12.669{223CB5FF-6DE2-6442-0D00-00000000DD02}7927048C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1100-00000000DD02}968C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:13.565{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3691D43454ECEC634D558F065DEFE117,SHA256=3C5343E609AC957DC7F00A29AB5FB203CADA2C9716117F9F37FE3658E1D02057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:13.034{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C85F5B74F5042E1EE2F914CB6B6999B3,SHA256=704DD6512E4AD8EA761796DB2FC1A117C42BE004C8DF1FC42BADBCC02069E9A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:14.772{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-058MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:14.586{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CFBB8FFF3A287DD71E888D420C8F332,SHA256=B452897A71F07DD1A4DCE6E69148023280ED495863E8C65976EB4581EAACEFA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:14.068{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF92741B12CC1E709CDDFE188178EE8,SHA256=19BAA30BDF1F3B72BC2F58D56959C72DBE2428FFCF2892DEAFA2BF7C56F37653,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:10.097{AF4EC832-6B63-6442-0D00-00000000DC02}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51645-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local135epmap 354300x800000000000000027447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:10.097{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51645-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local135epmap 23542300x800000000000000027460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:15.771{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-059MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:15.654{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE64B67396D659ADC9F2317B69ED169,SHA256=80F4397CFE456CE4662C2C8FC5A396076215E82A1FE13A6C626901B6F64C35B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:15.198{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8428753EFEACAA2D3059B1107CF2D4,SHA256=14B5FEDA1A1D3EAB913A919EFA90914CEDAB3D7C3CC9B4367E3ECABA8DCA15B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:15.091{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79A3-6442-5006-00000000DC02}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:15.088{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:15.087{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:15.087{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:15.087{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:15.086{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-79A3-6442-5006-00000000DC02}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:15.086{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79A3-6442-5006-00000000DC02}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:15.085{AF4EC832-79A3-6442-5006-00000000DC02}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:16.351{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58E1C3F5E809FB1A274B5417B604F725,SHA256=03966048DE906721D798BB17EB2A8D23145E87C8469240336FC28E1E90F21338,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:13.156{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51646-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:16.716{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=831691139B13FC10079B9E424EE17C15,SHA256=B476CBCEA1DE18AEA0B213A08BD4406B04F497DDDC7A2F5335CAC4D7544282DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:16.156{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=879AAC3E3EDCD40AE0C96286CBD107F7,SHA256=015518FB248332A8F03839AE2B177A935A5847C26B715BCF8B937EA7BA738F7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.960{AF4EC832-79A5-6442-5206-00000000DC02}58924992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.760{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4488A36C03CBF2D70D53CA5593A3DA9E,SHA256=258CDFC4A2B5800D5768B0B95EDA40F81B3A0CCA18C33FEEB05618DCA48F6DBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.744{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79A5-6442-5206-00000000DC02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.744{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.744{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.744{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.744{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.744{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-79A5-6442-5206-00000000DC02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.744{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79A5-6442-5206-00000000DC02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.745{AF4EC832-79A5-6442-5206-00000000DC02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:17.466{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF7884D88948BEF3FC837B28880CB27,SHA256=C1527F2BBC3864E4E636833B3362E7380BB603DB08810C3A711052C64DFE5218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.317{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6EBA3D042A0A0F2A7977C2AEB8AB8A56,SHA256=7A7F2E7BDD4885541B6A434289C8AA1A5F64E9E96E081D1BF1D791231CBDFD0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.058{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79A5-6442-5106-00000000DC02}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.058{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.058{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.058{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.058{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.058{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-79A5-6442-5106-00000000DC02}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.058{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79A5-6442-5106-00000000DC02}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.059{AF4EC832-79A5-6442-5106-00000000DC02}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000022430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:15.419{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50439-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:18.512{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6657725993F22C49A266D196453C5F2,SHA256=1E103DBCACAE494ACAE3078DBB4B691E1C53D2F490E06D0A3CA58ED0A5753666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:18.820{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD6AF6998337FBE30675645CC857FCB,SHA256=2AB6E64C1C5806DA8D6EE36F6D673920FB7AEB453AAFFEC790AB58073AC482B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:18.630{AF4EC832-79A6-6442-5306-00000000DC02}57965748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:18.419{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79A6-6442-5306-00000000DC02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:18.419{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:18.419{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:18.419{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:18.419{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:18.419{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-79A6-6442-5306-00000000DC02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:18.419{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79A6-6442-5306-00000000DC02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:18.420{AF4EC832-79A6-6442-5306-00000000DC02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:19.530{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA437AF859628B61C8B263E1DB24093,SHA256=91F9A1943B14DCCD1D9271A984A8FECC679A29D6DEDCDF5B4C7A5A964A564FC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.933{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79A7-6442-5506-00000000DC02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.928{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.928{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.928{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.928{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.928{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-79A7-6442-5506-00000000DC02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.928{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79A7-6442-5506-00000000DC02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.929{AF4EC832-79A7-6442-5506-00000000DC02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.900{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4E42AB293797B87C1048709DEEC1BC,SHA256=0BAE8C3915D3B5B73D14342913E634C451F128D47B5296997FDA4E8478EA797C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:19.332{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.448{AF4EC832-79A7-6442-5406-00000000DC02}34045724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.224{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79A7-6442-5406-00000000DC02}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.224{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.224{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.224{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.224{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.224{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-79A7-6442-5406-00000000DC02}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.224{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79A7-6442-5406-00000000DC02}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.225{AF4EC832-79A7-6442-5406-00000000DC02}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:20.629{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B9A943DD7A74E78D95B5B45E23FEFAF,SHA256=5758E76AA528963F3526CDD66CFC9CBB4C50ABB567FA63CC30565EB468AC8823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.934{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3754AC6694515AA787DEDC1BAD20D711,SHA256=BEAE5781B4920FA4F6BEB9124A8269BC85DCC76E494651C6054C33541F02A0BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.624{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79A8-6442-5606-00000000DC02}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.624{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.624{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.624{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.624{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.624{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-79A8-6442-5606-00000000DC02}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.624{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79A8-6442-5606-00000000DC02}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.624{AF4EC832-79A8-6442-5606-00000000DC02}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.179{AF4EC832-79A7-6442-5506-00000000DC02}26484100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:21.728{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00EFA93B60BAEA188C8D6EE9E3CAF25,SHA256=38716C94D6C864DB76C8075B88EC84FB6E595208EFDD11B27CCF027231A5CB97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:18.597{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50440-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x800000000000000027528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:21.882{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:21.882{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:21.882{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000027525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:21.035{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\3CE3DF5F-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_3CE3DF5F-0000-0000-0000-100000000000.XML 13241300x800000000000000027524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:21.035{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D34FDAEF-E258-4A57-A230-22BB3A38D685\Config SourceDWORD (0x00000001) 13241300x800000000000000027523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:21.035{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D34FDAEF-E258-4A57-A230-22BB3A38D685\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_D34FDAEF-E258-4A57-A230-22BB3A38D685.XML 10341000x800000000000000027522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:21.024{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:21.024{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:22.728{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33B27F43ACE466DD26A03EFB9126C2C,SHA256=0626FCC9764EEE3315E2EB2FDCD5E55739C6E8FC5B14746A5F60CB93FBC7551E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:22.985{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE2B18611DBE7AC5D516A1FEC7A20546,SHA256=AA83DE510C46D80B8D28052E82946139983BD61B23084022831F2A870BF2A198,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.000{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51648-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.000{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51648-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 10341000x800000000000000027537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:22.727{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:22.727{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:22.727{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000027534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.170{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:f860:867e:9ac:ffff-56748-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000027533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.170{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local56748-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000027532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.168{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local54516- 354300x800000000000000027531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.166{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local50364- 354300x800000000000000027530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:18.266{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51647-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:22.026{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1360ECBD604276A7C93ADF2E6E4A2514,SHA256=C07AE9D3D806528BC17CBB80126B5EDC436D71F61DF5ACB82439CFAC9EF7324E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:23.947{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-048MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:23.846{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF35A74DBDD14AC3566E7A926670D48,SHA256=4E747E3462A5F2256D2688CBBAF11C4BE18CCE385B34E8596C9D1D7F0EDEE72A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:23.069{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC07541BB3E3B12BF82841E78D3ED4EA,SHA256=882FA8C7D509605E24BF9E20D6F4FC3A46E50378DB861903B156702FE5D2B988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:24.949{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-049MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:24.865{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5AE5F3D088BB271EB6559656D11953,SHA256=AF0B76347235ED5F8048E288E25C0F63EA97D40E42875B622AF4F1BF98D8894C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:21.348{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50441-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:24.088{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93148987433881B5B395B211806742E5,SHA256=F449B32F7B785DA4D490CABBCAEE8C5ECA4660A02285F41B839606943A39F28D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:25.949{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A35F71C07052D44A11DF2D37BF0997,SHA256=AF56F058FEF921531DFD970EBA729E44247ADAF009A0001A38628952CB75455D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:25.236{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0777D497D301614395CC3B52678C7D6,SHA256=3E56DFD190821005F0EC7E55E0435622549AC1533106BD81DDF57F12BD512596,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.844{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51649-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.844{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51649-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000022443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:26.982{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1993C04F6E8D2F0B9ADC5ED778B885,SHA256=69DFDFA00072A599B5C0A2B908A6618EE104216A46CDD666D4F5A898BC12ED1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:26.280{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F05EE73AD1FFC3ADCA79866517969B,SHA256=C24E852DD2391926AF69FA1C7F42F20988D9175705A1D0B663506AA706B46A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:27.398{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795C7BDD5645F6273BF5CF1B6417FFAE,SHA256=A386917CC67D827320C61B231788F0B5BB4DE54EA9FD431E4B33468FAD743AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:27.383{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:28.444{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F62C3EFE32130337D0D17056A4EAE8,SHA256=F1A92A4693C86FFA9E7EF123430E9BA18EB14F31F40641CC292EB19FA59F87DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:26.436{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50442-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:28.301{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=749A2284B287E62C48CCC4D1A26D4523,SHA256=EFB307A5F73B2133C211F66846931E6204F4E7E59A6C6A458C7AF9EE8B3C6981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:28.001{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C19268DB558BB44843E7CDFC8F28B6C9,SHA256=9CA3549215777C9061C6CDEDAC55DE344CB9B075BEAD2D6EA4453EA700843389,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:24.180{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51650-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x800000000000000027562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:29.773{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000027561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:29.773{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0037f6a9) 13241300x800000000000000027560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:29.773{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d9743f-0xc8daba53) 13241300x800000000000000027559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:29.773{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d97448-0x2a9f2253) 13241300x800000000000000027558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:29.773{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d97450-0x8c638a53) 13241300x800000000000000027557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:29.773{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000027556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:29.773{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0037f6a9) 13241300x800000000000000027555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:29.773{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d9743f-0xc8daba53) 13241300x800000000000000027554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:29.773{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d97448-0x2a9f2253) 13241300x800000000000000027553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:29.773{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d97450-0x8c638a53) 23542300x800000000000000027552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:29.487{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F9A6C4A68FDA520F68F3B2B67F080D,SHA256=4F60DA7F84F15D420EEA2CB64C135E9EAD95F259D754B78778AFDD4112F8374E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:29.019{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53778678B5A4E06206A1A7642D0FC45,SHA256=F6385B9E1ECB369C48206A203736B9B3F29A7EE13D9B541E309B8510CF6D7753,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:25.484{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51651-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000027564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:30.527{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E25744F47E6B373E307F520C3BD66F8,SHA256=144DADF322835E151D23AF18AC29AD31807DBABA9FBC4F73F523E8BED0A8B6FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:30.074{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7824AFD4B0DC9F7121FC24D9EF755E,SHA256=E82EB07C39BCB12527B2F66458D5836C825A7B5D52708D7948381C39476F21DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:30.248{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DEC84EE944E138CF6F7C5E9D3B02A3FB,SHA256=077A655F476E51E3B4BBA8E7F2ED22D40CAB62038288FE7CE0EB39B76B7DADE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:31.935{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B5D-6442-0100-00000000DC02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97952|C:\Windows\system32\kerberos.DLL+79c68|C:\Windows\system32\kerberos.DLL+1458f|C:\Windows\system32\lsasrv.dll+2fb61|C:\Windows\system32\lsasrv.dll+2da46|C:\Windows\system32\lsasrv.dll+332d9|C:\Windows\system32\lsasrv.dll+30c27|C:\Windows\system32\lsasrv.dll+2fb61|C:\Windows\system32\lsasrv.dll+17bcd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000027567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:31.812{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:31.812{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:31.596{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F8988F9B3D9693C62B4EBC01B420BE,SHA256=4005D2AC3C3D5A771B95C4947A5C5D485522B320ED0C3CBD67FA268F9BF15D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:31.092{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610E8FA15AC1C6C7C76134842C53517B,SHA256=A7F4523F55946AFEF6DA0FC61B58FED27C696D650E58050B40475CE4898AF3D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:32.899{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34CE163D9FB9EA46D0BFA4B60A86B1DD,SHA256=24139E8D1E22DD08D3CE0085BF432BA72EFCF855B029C7DE9C587C85FA15B968,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:29.941{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51656-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:29.941{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51656-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:29.931{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51655-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:29.931{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51655-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:29.931{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51654-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local49666- 354300x800000000000000027573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:29.931{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51654-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local49666- 354300x800000000000000027572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:29.930{AF4EC832-6B63-6442-0D00-00000000DC02}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51653-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local135epmap 354300x800000000000000027571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:29.930{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51653-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local135epmap 23542300x800000000000000027570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:32.633{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D3010BBECC750A7EDB142B2673D9BB,SHA256=9DC30F4A4C52CDE763C60F2FF5E9A5DEC99CA81BBDB7D57F474EA58775F0245A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.210{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14DF8D86702569132727D56C15BE4A38,SHA256=D63FDB0CDD2360413175B0A70BFA5A84C7E36DC43127EEF06FDDB56B380EE152,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:29.279{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51652-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:33.582{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ABB30D17330472E056D150170CE7CD3,SHA256=EE466E2EA3F5532C8F0F62478B9A0DF605055DF715B62724D6E7D787611B38B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:33.685{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5822659504476509E081A2EC0B97406,SHA256=6515EFA2560A9123C53793204813E341D0380373EB730840DC8E62E31CB2D548,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:30.049{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51657-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local445microsoft-ds 354300x800000000000000027580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:30.049{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51657-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local445microsoft-ds 354300x800000000000000022483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.413{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50443-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:34.684{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6F940E19A14A4A16E262FA10223B759,SHA256=A9701F81D0078EF1C7DE282E3972152C193B3E8B485748756FAF118A26CAF98B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:34.703{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10092EB0A735C245B2F3573D6093FD71,SHA256=11A203F2877F43F9B880537A96DD70F6BD677862C229DE2470E57D82C0523699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:35.803{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81E91F0A4C8E24937E15354E14734D1B,SHA256=8434F7CD795285DF0192D8B536F909F742B7BEF458C51F45291F49CD65593217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:35.721{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42249CA90FCCA146D6300ED5A5AA2BC7,SHA256=39B1A8F205FC3AFF14F2C09829B36F064097D9297500340ED5CE4187BF939FC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:36.837{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A182024438DA273DDFF3270A47F30515,SHA256=0D196686E473D2D46D187D6D06C0A0A70A5E52E85192C9DD30561B400F0352D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:36.741{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55FE20825E7C31624B87B3AFA423C263,SHA256=0700F86F38DB6B6061E2EE5C958655E2F1EC253B2F62A69A1C3282D5272017FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:37.892{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4866808BCA5CADF6D6EB324C6825A2E9,SHA256=F93A215706A5CD34C5EE681950D463AE7C5B0A420EF69E5AA1764CA36C180CE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:37.795{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C9D8BDE04182CA8CEEDCC57A9A6360,SHA256=8EE349D7ADC02A65A48D8776056762129A6C2CACD05E423A73756D31FB725485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:38.940{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19FEE64EAE6FF625A5849A2FA74F5D18,SHA256=83559872E1F2D6BF7E987B1FC7EAF60A1B90D0ABAA74AC43D117E3516C561FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:38.813{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C6F15C056F23FCA2D469995F791CD0,SHA256=6849F3A0BAB8B35E768014B8AA243857B71549CFF9CC3B3D1CA4AD95B15C72EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:34.281{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51658-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:39.960{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A9CB543123A0FCD02F49A9D36E3E664,SHA256=79BDD52776030C631FC2E4F7C22573A7AFC26F2F70B02D07294C1A24073B1685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:39.832{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9EE661EF5DB45B6DD1FABB31378B93E,SHA256=28650D62364F7DE63339AA1B515371CDBD1786DD6315F64F5590DB5A108B7F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:40.983{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69639EE728DBD283244CEB542C7DC21,SHA256=58CCE6F92294EB01F35880BA8A4EEAB859A0DE0F970CCE599AC237B3A1346C89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:40.852{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453F723DD062B0E74D2BA8DAD9E836D7,SHA256=DD837522B7A36449CCB73D3230E9FFD5086AF71597B1637636A3DE91119C02F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:37.493{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50444-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:41.980{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=840DF1F6F4124336E7DF1207EC6FB487,SHA256=36614E5D056864DEA7CEE7D6808463553E686FD66EC864987E64F10D179B4107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:42.102{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7484BDF600778B5838B3FB9EF22F6445,SHA256=4B6393D415597A9BDD9C6CE39938F2ED304B28C8A70513DB19C991EE7BDE89D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:43.236{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D530AD5E2337A1DDCA7AD191DB5C69,SHA256=2DC215ADCFB5FE09433CCEB6104FA41ED644799583596A1D0FAD2E62CDF3415E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:43.758{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF549BB191B5B694D9E8145CE8B10524,SHA256=F7C40843010A630FB626251AC893BC8B715DE803D15B57F052DADBB37D12CAE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:43.024{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFDF7DAD924B9E0C51C9EA8FC03C3B0,SHA256=875042E22483C0E3DE99F234D494CAAC040429314995CE41DEDF34995CF60880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:44.254{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA90F9FBD9E3E9A89F9FC7B90293447D,SHA256=6D6729F78621176FBC99A8113CB12DF912EC366DC5C9DA8A37260DBB7E51FB97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:40.253{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51659-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:44.059{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5701835DF7C843FE4CF22B2A185C86CF,SHA256=D1CA798BAFD965D8BC7FF053134D07A738CF36D4D0FCADAC6CE1E1BAC8C2A55D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:45.374{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71EA756B659E3AE5F576B3B99650D93,SHA256=7848F9AF7839F101E4AA4FF91ECA8EF61C45B5B94E66AC381DF64605831B3179,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:45.790{AF4EC832-6B60-6442-0B00-00000000DC02}628676C:\Windows\system32\lsass.exe{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:45.088{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BFE11B367934161E95C086EEA002DC8,SHA256=535264DFC52EC9D9245FBAFE493BCB61A12EA60CC299975209D3DFA9FB770BC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:42.504{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50445-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:46.412{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8EFA3A65A4901BEB2006227671B8B37,SHA256=7FA9FFD4F3DE64BF29FD6A6E6DD0329566DE2BC77A9722990EAE73F013C6CAA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:46.116{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46BA99E646BF08424DB31436999EE0B,SHA256=2E7E59D5C3BA8765B2F845DD481A474C53AC29E6E1E4022587C20B62E00D3AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:47.431{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C41F3D3082188D7AFBA086B737F6BA,SHA256=77C9DD477CE4243C76A514DD3C041507803584467690DE37138EDB20378DB934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:47.550{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F63D1092484F43B122EA51CDA42514AF,SHA256=7BC9CB30C7C05092AF22A027D260A73558C67CF7CC584F660F6E2C9EF08B3A3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:43.907{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51660-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local445microsoft-ds 354300x800000000000000027600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:43.907{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51660-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local445microsoft-ds 23542300x800000000000000027599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:47.167{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667FD2A99EBC9DF01F7D6ACCFE1F7D76,SHA256=E189A0CFAA500559DDAA66D34C0CAC5A31A2AC05A50C03F6A86748942EB939D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:48.464{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=770B38C6F686E7779A8CDA65B59B02B0,SHA256=D4068C434F3B2F40B3E4CADAF991A14476899B3291B537B35A007600BA33AF47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:48.236{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E86B75BDD411CB5EC660124274B8991,SHA256=1CEEF4CF518786D6AF07E10C507A529C298E54571D9ADC993E322233CD9BD348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:49.585{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85B5C5EB4DEAA69CBE48B49FA5D9926,SHA256=45703C67DDFC3AD747CDB6515B6E76D416AE88209803EC5F72D3294156B72F08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:49.372{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51166AC8A06EF2659128A90356C1C668,SHA256=C4CE105F551B5A88BB4C30FDED8EC734109E194B65675189DA2B98B246B411A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:45.279{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51661-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000022501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:48.368{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50446-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:50.625{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D033599D5FCE4E3348BBA5A98F4963,SHA256=6B277D79485559E6E13B9CC04524F650176134CE784C6713D234DF0AAD4907F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:50.326{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D80CB6F83DC176B6AB30AAD207000A,SHA256=026D2022F5898BE17401B32A675015EE59E4E8D03C88786BB45036258AFA1820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:51.643{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A63788191650DC90644C77A3BF3B7D77,SHA256=BF6792F37571410F82FEEED657638BDF8F9795D84FB01683D3BDF76FD477E46D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:51.344{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E38B82C2A1F7FF631FAC3C6A91333C67,SHA256=3DD2F888C4636578666D9DCDD790F9EC6E0300D4004398B02C082CA3D208CF7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:52.777{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E216F441D75D235239D30AE7FBC5220,SHA256=273C362A5F49A414151A272EBF2C10ED17A2946C49CE178493D8D19EC48FB614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:52.405{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=999FF525F35A9DB0334F45D7F0E22F40,SHA256=503A152F703F9BCB8D61FA60C1F6E76A49006E71221F0402872F67D3CE9E7B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:53.897{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4154BAC28ED9DE7D03C9AF87AEE3F3,SHA256=B99166D3595685754F3A4A34F430D956B026A114D35FB1642E5745E8275037CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:53.433{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D8732ACEDDCD85D838D20FE29825A22,SHA256=237AEE107ED3ED8FA8BB27B5B4E59E7EC1A58A301C9B4CFFD29F882BC6AC21C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:54.920{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD79BDE3F017AD0DCED5B59D81CE8FFF,SHA256=D18ECFF45381AB51781978EA3D0ADDD4A4DDA1C8F56056741552FFBE3D0A8F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:54.467{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B76E5D5204D337A77B8717A79395FEE,SHA256=A3BD69AF976FE27596C5B2301D8587A7F08D1034A5F6B6761C3731F8EC2E0F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:55.487{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5449E441CEBA428A816C4C0102DDE790,SHA256=EBB3EA57D887276E593945EC009E0EF202F3FF0CD97E36472782E99792E3F1E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:51.320{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51662-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000022515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:53.480{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50447-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000022514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:56.340{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-79CC-6442-0003-00000000DD02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:56.340{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:56.340{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:56.340{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:56.340{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:56.340{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-79CC-6442-0003-00000000DD02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:56.340{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-79CC-6442-0003-00000000DD02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:56.340{223CB5FF-79CC-6442-0003-00000000DD02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:56.039{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C1D03354B26B06D644485293A2BDD8,SHA256=9E12B57AA445A8DDE671E404A4CF538DDF14E28421D12145931E5CC379EA317B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:56.542{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3085F5E56459CA9CEA3420ADD4F1D358,SHA256=BA2A02741812D032086D89C4B3CA5A57D9C619CD16FBABB9930B6D872CE0A66F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.909{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-79CD-6442-0203-00000000DD02}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.908{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.908{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.907{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.907{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.907{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-79CD-6442-0203-00000000DD02}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.907{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-79CD-6442-0203-00000000DD02}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.907{223CB5FF-79CD-6442-0203-00000000DD02}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.489{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A1D43D798173FA14E67A8BE9EBA9139A,SHA256=5402ED058282FC1DA8E9A6F2CC0F172C57A4CC377278B64593F77CFB3D5D3A69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.430{223CB5FF-79CD-6442-0103-00000000DD02}39566844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.358{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B16728A0A652B07E7A18CF323D8F4579,SHA256=441C09A521603294D37F9A224B04A9689404BC7EA91783AE5DE175011FF085A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.242{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-79CD-6442-0103-00000000DD02}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.242{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.242{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.242{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.242{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.242{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-79CD-6442-0103-00000000DD02}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.242{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-79CD-6442-0103-00000000DD02}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.243{223CB5FF-79CD-6442-0103-00000000DD02}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.088{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1387428C6EEDCE6696771B605512C83E,SHA256=F0AAA0E3222CD71DDE74D7D8CFA6BBA148991401B2CDDB7C3F991C30005F21A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:57.576{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2B13CEAD0861D0379E51F92D801DBC,SHA256=A1E34D8A3A28C5DBC284BEBC776E7E5265EA93FDD3CC6E45B4A7ADC55AB0D72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:58.622{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0884FAEE1254F420DDEBF4649E9F5118,SHA256=56BE4E7162211A77C681A708FCE63B6F33D2A28BFEF6D9CE9F9F5278259A9C92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:58.730{223CB5FF-79CE-6442-0303-00000000DD02}67085360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:58.545{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-79CE-6442-0303-00000000DD02}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:58.545{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:58.545{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:58.545{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:58.545{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:58.545{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-79CE-6442-0303-00000000DD02}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:58.545{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-79CE-6442-0303-00000000DD02}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:58.547{223CB5FF-79CE-6442-0303-00000000DD02}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:58.112{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AFA2B90278324B947C61219F7330921,SHA256=8CBE33B9859D6AA9F9D398020EB5E569AC4E820460065C880A469359A79A174F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:59.666{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A529FC61AC94ECB539ECC5AA89CA0A80,SHA256=86F372406ACA113895393D5F1CD89508740AADCE36F87012E8BBEA317B1F9CA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:59.314{223CB5FF-79CF-6442-0403-00000000DD02}64603552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:59.162{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4911A80A14E705FF9AC7E8647C777C,SHA256=75B3221E1D91E2D6A3B2777071E6B5EE86843AC88F105317355A46F74507FA34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:59.146{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-79CF-6442-0403-00000000DD02}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:59.146{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:59.146{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:59.146{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:59.146{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:59.146{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-79CF-6442-0403-00000000DD02}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:59.146{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-79CF-6442-0403-00000000DD02}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:59.147{223CB5FF-79CF-6442-0403-00000000DD02}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:59.465{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1329CDE0A1CBE08E68C91713E1ABFBCD,SHA256=712251D004756558FCB8EFF4C483C53115D424C07512EF1C4DFEB308CC9ADC4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:56.334{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51663-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:00.702{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49859B578F13C955C6A4A42CB2292A8C,SHA256=228AF66108B52AF1F35490D5B039407F0A1D84BE15E34F364AA2F14F1F496A37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:00.866{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-79D0-6442-0503-00000000DD02}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:00.866{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:00.866{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:00.866{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:00.866{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:00.866{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-79D0-6442-0503-00000000DD02}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:00.866{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-79D0-6442-0503-00000000DD02}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:00.867{223CB5FF-79D0-6442-0503-00000000DD02}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:00.180{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678CBB14B33EAE9E8A7DCE356E0B35B0,SHA256=91333C0AE9888540F64AF63EA457C013F9F78DA568B2884C785FA3C754D69C0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:56.534{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51664-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:56.534{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51664-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000027622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:01.730{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D061333C1A7697329BA2420A3BB9E2,SHA256=85F694108E2903A9C4AEEBBB65E2E3689A865E1BAF5690C0D1F20196AA5DBD91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:01.459{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-79D1-6442-0603-00000000DD02}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:01.459{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:01.459{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:01.459{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:01.459{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:01.459{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-79D1-6442-0603-00000000DD02}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:01.459{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-79D1-6442-0603-00000000DD02}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:01.460{223CB5FF-79D1-6442-0603-00000000DD02}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:01.210{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4DAF79BC3A1E7A2FDA7BC31FCABAD3A,SHA256=A48184A757BF13825CDD910EBF39BF9402D6548D4D36AA983FA04C2F976CF266,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:01.200{223CB5FF-79D0-6442-0503-00000000DD02}66726964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000022565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:58.495{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50448-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:02.860{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E5FEFBF9A4D18ED4426D2571286A10,SHA256=C389A1A32D3964CF26645AFCDD22C6D8F704CF763CC30649E8DE378DF70A0B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:02.260{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D520F142D214B82F373D607DCE35407,SHA256=064449E88EE7DDF925C4F13A7CE2F9CF195BF69DCC9B5DE4555AF670BBE54E5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:03.911{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBDD8FBFB70235B71E3F65585B0FEE74,SHA256=67D1BD092D684A0C0D3D7B201F94BC7EAC1D277C7CAE9945EA5DAF92AD06BD4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:03.294{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391FBF90376C6B4CB74C23436E754F00,SHA256=42DE31F676100670D6D769B4730B309F1AC58010AA24730A64934A26B31F0713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:04.949{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6172C6CF025CAF8B58A73864A2ED0E,SHA256=5F8F55F99469E19B36F14BEE3E5AA6F7F71E7731A54C7DBC2F2FBA10004159E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:04.314{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C656F18949E6FDD133E9375640DF251,SHA256=510743688EB17A7437F6291D3A686E643CC30A5A550CD7AD4E39F161E69949CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:05.337{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=968F531FACC507BC35A63CEA8E846B35,SHA256=AB11CEE19029F222ABB227EAA7AC65BD5365FA64DC5BA21AD88B2CBF857F6706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:06.355{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8BFC63FED6BC408EFCEC6405A754DB,SHA256=2DCA0C94A796EEF1C5DC4F1E52CF2A7602BFDE2CAE5B465D728E1C66A1601644,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:02.349{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51665-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:05.998{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6520014FC794F1393A0017688AF794D,SHA256=A6E2977C67300D7FBAFFA0FC2703B2B9B757DD81F9B8BD78AE1EAD9B9F554B21,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:03.949{223CB5FF-6DE2-6442-1300-00000000DD02}288C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:28ff:2bca:f5ff:fef0win-host-ctus-attack-range-328546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x800000000000000022580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:03.495{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50449-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:07.906{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A3530E21EB951EE3534200B4F25BC2C0,SHA256=76FCE6C2690BF84E368C159311522DE81B92C1CF14A68DB4ECAF986D3BF0F8A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:07.389{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C9ED6D669902206903F9EEE17FD8E4,SHA256=24AB8AAF00C978A0EF28365899004E261FE59A4F3813669EEECD9F74310BE099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:07.044{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8006752A16A0C9C7C207F55EEF4DCC7,SHA256=99FAE3B61D15831DEFE48F1D17ED6139A0CEAAE070E7E7DDAFF941C58E550B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:08.507{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA22C9C4A584203DC146D03EB68897B,SHA256=57458F4B18014060AE7D8C532D96E0DBB4907847C2F4F92011B78D57FF28B4D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:08.088{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717905B58A23704264D09CB0C90B2BD2,SHA256=65426F8D05B82B307C49857F09C6DCA82712EE2C79891EEAF6F2546DAC66A062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:09.547{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE52E127688671C7FB6BA403507BB039,SHA256=0CF3AE4AA54F64F18B72A0CAE44E977B7D6EB8D60B1A11AFECCBD603DBCFC2AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:09.123{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2D0B30E1D0B657ECCFE0CE151CAAFEE,SHA256=0B0DA3B1BDC10DE7609CB92C2AC491F5610C52B5A5237C088EBD9C21771C4FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:10.565{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C54C23A9A57EE8EF67AF971538FA391,SHA256=54352336DCA3FA72A657399DAD4D42FC0BD3776790199FC35C016771F1AFF7DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:10.152{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD06219D9BAC3FFE39E66F70CD3F926,SHA256=0FAF57947C39EF0CDDA409644651294FBB7399E91D064D7E3468E831D146316D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:11.631{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD3558273CD83398603F5E52C9351228,SHA256=BC1D044B562B2FDBDCF5D744EE4BC1B08C958B13C25F73400F495D11A44D2006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:11.180{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F31FEB44761D208CA4573A270103815,SHA256=D9EF93BE4ECB56F29F923C7D4F54A2431B97D752E6502EC672B6C72A3B943EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:12.670{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ADE42B2D0C0C9FF6901009E80F1D710,SHA256=B3DA9440D0F0F30FC6F1A6CAB659E5FFE6F95B769DC86DC9CB38B0A522210D6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:08.238{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51666-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000027636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:08.125{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53165- 354300x800000000000000027635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:08.125{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local49310- 354300x800000000000000027634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:08.124{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local52525- 23542300x800000000000000027633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:12.214{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A57A6E051F9886C16FEC8C34C9EEDE3,SHA256=DE60ADB3F4D0DD9698EF3701F5F31FE058CC79EAF7D33681DE188F7D8BFA3C12,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:09.431{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50450-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:13.720{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703EA97B90F1A927D9F5AE3ACD3DDE7D,SHA256=8FF41B0D3FF1689E1B837EFA071E633ACD03D4007FA3EFE421B3978DE74FCD1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:13.284{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A538CA6516673EEFE932AF32C8BC153,SHA256=A38DB6691102D2864ADEB4AA90CBEEBD7586747101FFBB8AE9C1B1E4D276062F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:13.235{223CB5FF-6DE2-6442-0D00-00000000DD02}7927048C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1100-00000000DD02}968C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:14.839{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C5EEF95C277B321719D2241E1FFFBB,SHA256=0139B7B096FE544775985BD9B574161B8F78B54076526C9FC73E99C6BBF7EFE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:14.316{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6074ABB11276A13135781BF5213371F7,SHA256=98719E7D62C3A4DFDCCF17BFBDDB76F560D868AB35EFA9A3161B1FD481B749ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:15.892{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A735A2D00A8A5647A21C4418A8BAFAD,SHA256=EC354305D9E2D631668DF61944F2077758176FFD12A73178083B7C05F831CBA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:15.447{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A58334C507EF420254545002454D7D7D,SHA256=93127F0269A54AEA53B926BDA93FACDBA0DB28C1D55EC64B0CD409F43ED8807D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:15.102{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79DF-6442-5706-00000000DC02}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:15.102{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:15.102{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:15.102{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:15.102{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:15.102{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-79DF-6442-5706-00000000DC02}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:15.102{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79DF-6442-5706-00000000DC02}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:15.102{AF4EC832-79DF-6442-5706-00000000DC02}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:16.910{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41E1E0491E9335B6D9B99B487D45B07,SHA256=F399B8D6C8FF264337C6BEC13F3DD984DE31B06842145917ABD2AB2D3E0C95F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:16.549{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0E1E4DDE310C078E02AF4B0F2AD886,SHA256=8F338A91B06FACF368BC110A47A3CED4543791D4D9C2A8C5BFE34FC8CE3F3CFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:16.301{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-059MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:16.215{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B295628650EBBF9DBB0570651B596506,SHA256=39FC73555571AA674C01D5C363E5204E55D71DDBEA0EB748B0C1B9B07CDA27F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:17.929{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9536CF31EF82DF68F89CC22CD906C2D6,SHA256=C1A196436572367BA77F2851066D6F0E46291D013617F81F775903DEB68637E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.701{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79E1-6442-5906-00000000DC02}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.701{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.701{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.701{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.701{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.701{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-79E1-6442-5906-00000000DC02}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.701{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79E1-6442-5906-00000000DC02}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.703{AF4EC832-79E1-6442-5906-00000000DC02}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000027662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:14.209{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51667-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.632{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245E1B900CF040A040D1986747BF3322,SHA256=DB2FAE570D49745A5CC1B88C04F90D60E2512FC8B886A57D9C51F58267FD6EE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:15.360{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50451-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.302{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-060MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.075{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79E1-6442-5806-00000000DC02}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.075{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.075{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.075{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.075{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.075{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-79E1-6442-5806-00000000DC02}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.075{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79E1-6442-5806-00000000DC02}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.076{AF4EC832-79E1-6442-5806-00000000DC02}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:18.948{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C28A787FA0EC045B73F22A7321FD6D0F,SHA256=9260C16A1E94647F9DE4B3C6504AF46C70630EA71AFB958CAA48A7C9E54EFCED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.699{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F98F09EC7AC043A609859CBA2DD978FF,SHA256=1D9D7F080905FFA711EB9468530904C67BF5C7AEC8DD5D838EF3BF906957E30D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.484{AF4EC832-79E2-6442-5A06-00000000DC02}57564520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.320{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79E2-6442-5A06-00000000DC02}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.317{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.317{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.317{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.317{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.317{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-79E2-6442-5A06-00000000DC02}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.317{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79E2-6442-5A06-00000000DC02}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.316{AF4EC832-79E2-6442-5A06-00000000DC02}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.012{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=263FC21AE3979B63392CE6501C3772B5,SHA256=9BEDC0B715B55A541A3E8E562FFE3C80D9C2B22C32D6D26639AFEC6C6FD72128,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.008{AF4EC832-79E1-6442-5906-00000000DC02}65881508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:19.971{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2ADD98B05BFD0AD95EEAE6D0BF49C4E,SHA256=8DAEDDDEE2796A5A8F030DBA59BD8AF327508D43BC1E29A2DF2DDE46AA65309E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.901{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79E3-6442-5C06-00000000DC02}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.901{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.901{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.901{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.901{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.901{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-79E3-6442-5C06-00000000DC02}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.901{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79E3-6442-5C06-00000000DC02}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.902{AF4EC832-79E3-6442-5C06-00000000DC02}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.820{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3E6CCC04C87713E134A7F988A31C92,SHA256=108B5AFFF74F3451F8D925DAF229F48F1EE94F481BD8259BE933B7D3FCD951D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:19.370{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.244{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79E3-6442-5B06-00000000DC02}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.244{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.244{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.244{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.244{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.244{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-79E3-6442-5B06-00000000DC02}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.244{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79E3-6442-5B06-00000000DC02}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.245{AF4EC832-79E3-6442-5B06-00000000DC02}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:20.990{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F4423CAB2A2FB8851B311FFC2C083E,SHA256=A3227B5E735D0B25858FB476AB8439C21583161D2E8A02DB2D1A5D7D8984E4D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:20.951{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B0074ADC4E0B46437FEAE6C9E00A6B,SHA256=7B467AFB0C871732132F03DF16AC064A941C93637D79C2C1A65445BF957ADCAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:20.710{AF4EC832-79E4-6442-5D06-00000000DC02}68406000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:20.526{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79E4-6442-5D06-00000000DC02}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:20.526{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:20.526{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:20.526{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:20.526{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:20.526{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-79E4-6442-5D06-00000000DC02}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:20.526{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79E4-6442-5D06-00000000DC02}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:20.527{AF4EC832-79E4-6442-5D06-00000000DC02}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:20.296{AF4EC832-79E3-6442-5C06-00000000DC02}56326824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000022602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:18.631{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50452-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000022611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:20.469{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50453-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:22.139{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305728D333226330C8E580E6C2942F52,SHA256=2FFC4F795D726842AABEF6CD3F535670422A2A3BC9AED5F141E05734640A8FF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:22.033{223CB5FF-718D-6442-6A01-00000000DD02}35961160C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0815|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:22.033{223CB5FF-718D-6442-6A01-00000000DD02}35961160C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e072e|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:22.033{223CB5FF-718D-6442-6A01-00000000DD02}35961160C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e06f7|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:22.023{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0ea0|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:22.023{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+bb490|C:\Windows\System32\SHELL32.dll+e0e5c|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:22.023{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e0e30|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:22.023{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12c9d9|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000027712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.261{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51668-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:22.068{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EAF3C334724CCBAC07C3DBFB860B440,SHA256=E632DE430376B80009885EDE415914880149170E745402DDFB1B94A41EE3B421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:23.084{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4FDB5FF922AFB0EEA50575E9B174A1F,SHA256=5C53F17169986E15C8741A34E5C8C66D7CC8440F6ED70476C0D4A383A55BFB1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:23.103{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CAF50A44D33ED297A1A35EADD37DE4F,SHA256=34048AD7CE26AFD44AD4705C1F452F2B88329703F186897401DBA5B7EFC8B5D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:24.214{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BED639EAE73E7A810A4206A6AF7FA948,SHA256=AFB75BAAB31659820D20C3F2B20EF291293784A85A34502D0DC5904F33C8043C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:24.255{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F32F70CD9914D1A5711175A632A151A,SHA256=A5E4CD23F06532A49F764B7FD09B2E65AC3F16B5CD1EE1272131A773D6FEA383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:25.465{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-049MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:25.230{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D74ED76FB4C1BE02AAB74585B2F144,SHA256=7288B15C805A777CA6BF5686CE0D94908704853AD08506F6912ECBD55B48545F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:25.356{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1320E2EEB46B3C4BC36DE99F44DB1B8,SHA256=F88D7163876AD5EC9D7D6DFFCA7F95C7A2095691C52B34886F031BB32FBA7C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:26.388{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CF628F45FDAE42FF47282D9EB4ABC0,SHA256=EBE40C0E192B954D0ACFE3E970BEBB66B0112CC76A949967C6D9D9F45430757F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:26.466{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-050MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:26.266{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5FF6BFAE110642793DA12FC067E6F4,SHA256=97505183EB67861B3AEABB5FE25387FEF50B0836240D1347E0242CE792942D6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:24.314{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51669-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:27.433{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:27.408{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5204A627CB50ECBB278CDBD088A86D9,SHA256=16B5A5A40BDC9109781188E7EF008C8061F17BED85E622AA940BF587E4EBD808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:27.420{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7181EAAE3D1806B60378DCC4158ED339,SHA256=14A44E5410F2744C5851A3A132337FE4CBA88DF2F04C6490479412B74FFF6D19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:27.289{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D93410F4D4E3D5213DBF97159D8315C4,SHA256=0B935A0979BE0C634530B11B317CC82B7F5E119128FAF8EBA88B6D32735B283E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:25.514{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51670-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000027720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:28.560{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA5E0CD8D5CE754F4175C50399079AD,SHA256=49F460580FC8614C0C7765951441D3B1E8F1E19B42AE6417CF3743C35B15FBD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:26.402{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50454-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:28.322{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B8E2C2EA927DB3A772FB034AB58C6C,SHA256=8DC0CDA518ADF3E14D4BE9DEE3A9A6C7CB372C456E7F55E065E870DF24B83328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:29.576{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15917FFA89E4DAD763D7F1B1C3B4B9F,SHA256=9B0F3FDC38B9E7802DC6F5A2394D3D9451267583693CB4C64D557D729F9F890A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:29.441{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6398FD24B5D6B396B482D89BC1F7BF8D,SHA256=F1738E9DFD8215E62B9E7A4DDD61F9696B07702CC304B0C75D9FCE770B4267D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:30.693{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03254ACEB0224840059D6D3EDF60A250,SHA256=A9E738F09B32450AC3012A06441D0ED25B77B50C0E0D73A686084B7C33A255AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:30.476{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7203DDCCDF790C2B47F3D4A867F7069E,SHA256=7BFF68003231B9B38780E4B901E04A21F2D1E8704FEBB0A4BD57A65653E9F4F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:30.262{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=589465074D9192CC5822F823731B2EF6,SHA256=171E6C078859056D68332A9D3E4E9ADA9B53C04B0BE66C1C57E6033429F79F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:31.795{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8B1CB095D74A0259E964A98874AC33,SHA256=6B953F9E4FBBAC58482B9293B631F8995905F32274AFDD522A0E82CA1FC4BCB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:31.498{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7D6C744BD10A8F74F71BE216165C8DD,SHA256=710BA1F91BEE1EFC931ED30D5255A69489177E92DA26D84E6C287ED368B0433A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:32.814{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E992BB636150BC3EAF8882203757768,SHA256=8A8E99F9844E91711A54A2E99F3640E65CD6EFC8F0D314AA3C87DDBE505BB652,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:32.532{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C52BF8D29098C871F0B9EAEF46139D9,SHA256=FF2D83B3BB635EE434E2DBDFB43774811608A35BC66413B80E95588F3388D44C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:32.039{AF4EC832-6B63-6442-0D00-00000000DC02}8964028C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:32.039{AF4EC832-6B63-6442-0D00-00000000DC02}8964028C:\Windows\system32\svchost.exe{AF4EC832-717D-6442-1605-00000000DC02}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:32.039{AF4EC832-6B63-6442-0D00-00000000DC02}8964028C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:32.039{AF4EC832-6B63-6442-0D00-00000000DC02}8964028C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2100-00000000DC02}2448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:33.565{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=229032D97D4EA72B82BCE8A400EABA82,SHA256=1899AF9F0D016C8661850F80B84EB5318408843E9ECE9296387313BAB3EBE7F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:30.272{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51671-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:33.882{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB491FA4FF2E5D9902B4DF7583A055D,SHA256=AD99EBF0DCD7E7E12068D9E56E7D822F8C2188901D5197F96B201141CEB31E3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:32.365{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50455-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:34.635{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F224DAD15BFB3F219E09B6CBBEEF5A4E,SHA256=1919986063971B66CB802C5FA9409899A2C8C01CA62031E3D3554E6C2F101C19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:34.967{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BA84E69ECAC5191BDEBBD498AE6A08,SHA256=90AD0903E901A5A3352937424C91516440AF9F83D5D08D42D0382FF95084ABC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:30.751{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local138netbios-dgm 354300x800000000000000027733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:30.751{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x800000000000000022629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:35.652{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF1D6CB801AE44BBEB3628268624FA5A,SHA256=63979E02F6FA5198D580E4E8E892BBB34B379661B4A939729CBAF60E0FD31E0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:36.753{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B42DDA4C9F4BE7E627D1C0961B4D43,SHA256=95BA17837C6642D13098EA06878D651E8C436F54E78CCEF5DF724A93B16675F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:36.117{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3657BB4FB885AD6AFC2A9C736C0EF8C4,SHA256=F89EB0DB4A2A09155100A80067EEA77BF905795750D34E8C800C187F55C38FE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:37.823{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4AA3AFAD1BA42683129F2D9C4706A4,SHA256=9AAE63927323AB7ABF2457C28432AC7A04A83484AB065F387F85EE221F61BBAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:37.219{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4094E12E2A7C7B7EF10BAB9FFD0543BA,SHA256=31E8210FDB7CF37245E3DF90E1A29B8BB95A47B2BDDCC1BEAFA4A2A83E74EF11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:38.871{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB72A050F2299C1E36676BBAE78732C,SHA256=45BD0C349E09F43A4C822036AF58DEAAB5D325F51083C01D7E436C08875458AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.277{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51672-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:38.346{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=292286E4C6BD988892DC6B04CC4F9BBC,SHA256=7AF28796A8E02E84A580FDEC92B94EE7AF4FAB6E08A174FA238DBE5471BC4171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:39.972{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCAC170F1D427B0C7D0740CE224A0DD,SHA256=5B1DC07CD31F0AD725DEC643FBE4622BDA2AC608F8EC73CD02796C7AD61A77D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:39.473{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C498A4CA59FCFD2F50ECABF1F76880,SHA256=1E6BC2E8611597296CBEE702E812C9F24A26A72E5CE41ED6040D60D192B815DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:40.550{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8BD9EBB7DF9074197A7C027FDED5B1,SHA256=31B1773CE1C09AA11FADCAC387D350A90B003B55234E50F30C9C53E1E13B042A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:41.650{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D231C037815424998044E4A0532EA49F,SHA256=1D6957A9B029FA6BD5662CC25055DE4526CC60A856D3B54EB7D3FE1180D47669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:41.073{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1475876086F0707B0E6E2119ADAC7BC2,SHA256=72C08A0CEE94AA15BF043BDD511859C1B13D8021C08AC468641272CED805A4D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:42.777{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4702FEFF23E271935BB3B350E8E0478E,SHA256=820FB7FDB60DDA702D9918406F0D12410EE9DC46154CC9D9C19A92A63E3604E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:38.322{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50456-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:42.174{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A1ACC4018658E43DD9992BF9B739D48,SHA256=BA5B8A72F4E6F12A3C1598A0DFF46666D5923E337ABE416A4EC8CC3279CE5E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:43.952{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F7A3BEB13D799CE19E452913C24DEF,SHA256=DC8B52E1E6D29C10D90C1860654E83A03FD6184CD1F9FCF58F45EF987140E31D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:43.260{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F5AA7E51B3E1A9EFD48A52A4D8AD9E,SHA256=AE9C95ABEE52573416DA6830DCA94DFFF46D1340F107B5F76C11592ED8834D12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:44.314{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDA50F842314875FDCACEC8DB3DBDC5,SHA256=2F7E6C12CF4454452EF2DFF55F3EF554FA1DF44272C6BDB60BBA6182F032FE6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:40.314{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51673-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:45.416{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA28B3120C76A6D032DA0F6DB157EE72,SHA256=2D41E27B7B7F9F8033F85707E0B53C5A1BBF8F351E8393EE7B313967C9E1627D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:45.010{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=158AC0A58760267651D6F164E704A6A8,SHA256=16695729459070B11982D62C222ECB02FA090F0855CA5CEF166617986868EA18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:46.701{223CB5FF-718D-6442-6A01-00000000DD02}35963148C:\Windows\Explorer.EXE{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+d30b0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801B85081E8)|UNKNOWN(FFFF864080E77DA8)|UNKNOWN(FFFF864080E77F27)|UNKNOWN(FFFF864080E725B1)|UNKNOWN(FFFF864080E73F7A)|UNKNOWN(FFFF864080E72236)|UNKNOWN(FFFFF801B8176D03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d690b|C:\Windows\System32\SHELL32.dll+11d7ba|C:\Windows\System32\SHCORE.dll+33fbd 10341000x800000000000000022646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:46.701{223CB5FF-718D-6442-6A01-00000000DD02}35963148C:\Windows\Explorer.EXE{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+d2b91|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801B85081E8)|UNKNOWN(FFFF864080E77DA8)|UNKNOWN(FFFF864080E77F27)|UNKNOWN(FFFF864080E725B1)|UNKNOWN(FFFF864080E73F7A)|UNKNOWN(FFFF864080E72236)|UNKNOWN(FFFFF801B8176D03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d690b|C:\Windows\System32\SHELL32.dll+11d7ba|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:46.701{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF2f5fbf.TMPMD5=E8C95C0323BE7CCD9EB117E12775460A,SHA256=5B51629C9D0B874061143DF8659E57E1A50CF449C0146525A6EB2E3CE782E510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:46.533{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF457C3F2D1A0A240F647C12597685C,SHA256=A691403445890BB20A9021694CC6A77F3CF66A3EEAD7FFA872914526F3628A59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:46.597{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1500-00000000DC02}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:46.597{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1500-00000000DC02}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:46.597{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1500-00000000DC02}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:46.054{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72758C980EFA737E4C3041633FDA1A4E,SHA256=4D33FDCC5473CD589D85004923064B3B2E1C3C201F9871D0479DC68A962B51EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:46.217{223CB5FF-6DE2-6442-0D00-00000000DD02}7927048C:\Windows\system32\svchost.exe{223CB5FF-718C-6442-6301-00000000DD02}2504C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:46.217{223CB5FF-6DE2-6442-0D00-00000000DD02}7927048C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1100-00000000DD02}968C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:46.217{223CB5FF-6DE2-6442-0D00-00000000DD02}7927048C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1A00-00000000DD02}1928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000022640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:43.477{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50457-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:47.665{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9928EF56A56495D2545B7E18B960763C,SHA256=ED8F214274D076EB5896940DF9D453B900019AF8D11921BABDAA810789EF7FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:47.281{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F6EDCBCFB2AFAFF9BDFDCD7049898CC8,SHA256=B5928744DCFAC0F05C24C40B2C957F148A2EA218219C793362E8348F469DEF6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:47.097{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54BA30C2AF6538AEB36405CEB10B263D,SHA256=A1B975F6EBB56DADE96B2053F312E69DF172E0DEB5443DDB6E9F0BDF31A85C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:48.800{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C1DE8E36203389A360330860FFC81B6,SHA256=9FD7BD79100207BD8B6DB59AA7DAB6DC29334C1E8BACE2B66F9AA358A01F4436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:48.213{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1038074514E4A12008638365F6BF7D,SHA256=892CE3DCBC5EB5142EBCB0B19E23376E6F3514EBD3DB891431F0C3CDF4EB5C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:49.868{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B004A9517163DC1ED72A89C200958828,SHA256=7BE62D511244F2467C799D6B30065C0C9175CDE23ECA9AAD3EC4AE4844E7576A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:49.332{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16096631DFA7D17E9F25B98380C1FB7F,SHA256=7C32441263E3CC443E4BDF1B8ED7AE9ADE518851DE16197C8662E633DB3C6380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:50.885{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79FEE2D4AA93F0DB5D31E6529824C113,SHA256=AD57E8768071F077E0FDA6492B2623A5403975181CD65D53EDC970E4DA3DE25C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:50.434{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3DD0788DAF816677FC02E624C9F599,SHA256=09DA47957C439674B2DA2A49291A695D62BBB3F4977009073AF1110CC2FDF962,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:46.138{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51674-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:51.954{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687143CC0D6D308D49131CB300F3909C,SHA256=29164DD263E6266C1BDA3831B7985C94549024907A9390EBD8277ED9AF529B6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:51.485{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098F98429449F33C656FC29B5C71C0AE,SHA256=CE4D071BD2EE32EE3D44DE03004B57C69F50C1D4E9D56FD43C569F8F8B26B7F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:48.481{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50458-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:52.986{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0E4133358EFCDA0790EEDA2F473A2C,SHA256=1F24E8F0831B32BA3C24869DA7AFF370A95C6351B5BE67E65AA9DC281A16818F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:52.602{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696B457F2D12398D9C6CC7FF0A6ADED0,SHA256=82C534C3929FD51E0D43A29962AED0B11AAEFF839934E0505A388F6BAFF76C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:53.663{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3DD4D0C5939FBF2A80F804D458F152,SHA256=57A86271E8D2F9FDAD2C570AB306776A60BA69340934882D425981C4AF8A87CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:54.789{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACDE17E9243CEB168C4BF3CE2334777A,SHA256=AE98F3483C05920BD7C9D4568F9EB20CD2488C8E7CF9B853A5E88DFBC09AFA00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:54.087{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD05DF4095F11BC2496984C3294C4CE,SHA256=06487E941BF42B375506886A17C89E8FA727C98A59248C719C2FE007616EBF03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:55.865{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7674F1E102971631D5A558E986A6BCEA,SHA256=BE6500636E965CC3A025FB2DD9E48AC7563E8EF9B40A70392A6B116F5E8E9DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:55.173{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B7291ABB5DE9345F6604582905C9EF,SHA256=72BB715A7138684FF6B3E28D189101B0E59AE02E140E2F80565A45BF676BB872,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:51.207{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51675-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:56.976{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F0D7E4A7918959FD242DEEE54A5ADBA,SHA256=AAB414919A66C5F48595A167C06E9FD8FCFE2422434DDD008857D66B29875EFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:53.488{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50459-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000022665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:56.342{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A08-6442-0703-00000000DD02}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:56.342{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:56.342{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:56.342{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:56.342{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:56.342{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7A08-6442-0703-00000000DD02}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:56.342{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A08-6442-0703-00000000DD02}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:56.343{223CB5FF-7A08-6442-0703-00000000DD02}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:56.273{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795C0CE8C67160F2430D300CB59925DA,SHA256=8767AEAD0D2D384E25C1A1D57B6418F98873CA091B0F01FF17743760A35F4530,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.929{223CB5FF-7A09-6442-0903-00000000DD02}61521072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.745{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A09-6442-0903-00000000DD02}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.745{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.745{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.745{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.745{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.745{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7A09-6442-0903-00000000DD02}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.745{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A09-6442-0903-00000000DD02}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.746{223CB5FF-7A09-6442-0903-00000000DD02}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.429{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E625B5D26B6A11144B01CE13F9A46D59,SHA256=3674CD0B1E643E4262CD85EB48156F6BB3028593F741282DEEF3D8EC5F3A5902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.429{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B87EBCAF4A386A5A1606F10A29D4753E,SHA256=A32F7DB272774CFB9C43750666B5A993CF96C3C6B20A6DCB084171A6E3105A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.329{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075567CEE2A926F5A67A47CB47372B57,SHA256=3E1DF9B56D735FB1F1C4BC648762933030CF1DB563B52654D762232780D8AA6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.258{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A09-6442-0803-00000000DD02}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.258{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.258{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.258{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.258{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.258{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7A09-6442-0803-00000000DD02}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.258{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A09-6442-0803-00000000DD02}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.259{223CB5FF-7A09-6442-0803-00000000DD02}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:58.777{223CB5FF-7A0A-6442-0A03-00000000DD02}62646448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:58.561{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A0A-6442-0A03-00000000DD02}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:58.561{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:58.561{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:58.561{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:58.561{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:58.561{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7A0A-6442-0A03-00000000DD02}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:58.561{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A0A-6442-0A03-00000000DD02}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:58.562{223CB5FF-7A0A-6442-0A03-00000000DD02}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:58.430{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA24F40C3E89D2DC539D22D295E149B6,SHA256=08765A5D6A836B048509F8BCBD08ABA1100FEB9E29733CF3E637ABA8448060C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:58.078{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD246B68E3688981E8D2136799FD2C5B,SHA256=1F1E854821AD1B11C7EA443D1DFB49B6C58293920975F5DF64B9CE9412A36280,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:59.446{223CB5FF-7A0B-6442-0B03-00000000DD02}70726148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:59.430{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5860FC7E00C23B9B07BF8E6344B8A656,SHA256=B5866D99ABF384D8E91731FC7C0E045FFD09804778E9A9F4E31238EB4346DB06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:59.526{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2794F1D4E76987B89AD1BF70A9E37571,SHA256=39426D4A19E225E4232254199E212B4321FD2AD31FFE3AC23DCB49EE20C4D9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:59.110{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFE7A03A6353D4056137531C572D2C6,SHA256=62F2B4F0FC03B0B151071FC5F674CC68838916AE3C777FD1D561DD53257A315E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:59.230{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A0B-6442-0B03-00000000DD02}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:59.230{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:59.230{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:59.230{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:59.230{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:59.230{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7A0B-6442-0B03-00000000DD02}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:59.230{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A0B-6442-0B03-00000000DD02}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:59.231{223CB5FF-7A0B-6442-0B03-00000000DD02}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:00.870{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A0C-6442-0C03-00000000DD02}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:00.870{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:00.870{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:00.870{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:00.870{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:00.870{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7A0C-6442-0C03-00000000DD02}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:00.870{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A0C-6442-0C03-00000000DD02}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:00.871{223CB5FF-7A0C-6442-0C03-00000000DD02}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:00.531{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D07250958A972ACB61D6C109BD9B07,SHA256=D871AAF96501113D633E1CC71A517E8D1CDB6839E679EC7C034EE5A5DCA5C1BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:56.545{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51676-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:56.545{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51676-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000027798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:00.147{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73321B030C9BBDD2010D4772A4749643,SHA256=7A69C88800306BAE67A934B24FB6982A03D3F2724FEF6EB70076429008EB26F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:01.624{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B7D58A84EFDDF1BBC040CE6C525FD0,SHA256=88D9F62D545E6296551A3E5064D12E7D44CD8E4B50CDF8D4FD89BFCF506371E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:01.540{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A0D-6442-0D03-00000000DD02}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:01.540{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:01.540{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:01.540{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:01.540{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:01.540{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7A0D-6442-0D03-00000000DD02}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:01.540{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A0D-6442-0D03-00000000DD02}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:01.541{223CB5FF-7A0D-6442-0D03-00000000DD02}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000027802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:57.174{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51677-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:01.281{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51235F99D9B72E5B7A7294EAC030E3E6,SHA256=2DEA9A684C06350818E90CF79E715AD2A2CA05763113B59091C3E3DC2B2028AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:01.118{223CB5FF-7A0C-6442-0C03-00000000DD02}45804804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:02.641{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB8F7AD6C2216DD4D0FBCC12FD84B939,SHA256=8E9D7D24CA96BE84B76E7FD5C76AD8D0FE041A4437FDDAE173A1C4BC1E5CA395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:02.413{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69420A661BA3DAD90B7442651E7352C,SHA256=E4E0190DC9F8F6B704437EBE218F7C1900C5C50F47C39C359DC266B2001B830C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:59.343{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50460-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:03.758{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121D713BCA185480C1A75F77711A99F9,SHA256=ED07D3EE71A2E1C536806749AD88C7A306B721E8BBC90FC72F52E98E56787187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:03.430{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C008B47FD8609FE5272D991A041B0D,SHA256=0416794A4D531611081FD7EBBEC1DE6BB250F64BA6D3D086159773B1206D608E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:04.774{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DBCA4C10370B0F38F3799EC26B98301,SHA256=B1A95FE94A41C6FD88B20F8A03D85807515D90E8DED333AD42E5B03D071F1594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:04.575{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771E1EFEDCFC4B95C3AD33170A55DF9B,SHA256=FE60A48D56EF4E3683B8A03512ED155F46D6BEBC4025B83A33D7BF0E9B42891D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:05.806{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C876A8B2A748F7B1FD1A918FCADF2BB,SHA256=2BC8D819F429FDB13D159F7648F2FF191D12B5A1E9B23D4B6E58765FF65A76B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:05.633{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE59B9388ACF9078F4FA3C1FD5EEA67,SHA256=56B4831A0E46EB442CA27895E0CC50F7DE3E8D822DBC987EF71E911CEDA0D3A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:02.188{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51678-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:06.907{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA4902D91B4185CBFC9D7799311877D0,SHA256=73757275F63F304B409A2E084DC1A63934C759FB27E8581F982FBB01AF13EB99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:06.652{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=867576019639139512E92AAB7E1DCDB6,SHA256=BAAD33C6B34DFD66334E6BA5FA74B92CF93184E72C0E59FD1D56A8DC8E125668,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:04.506{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50461-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:07.920{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4312DA97EBE70889492064A4C8E514B,SHA256=A808EFEAF2F371FD423D1441215F5D27A960EDCAA832C08D0B6F638C119D3F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:07.804{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6627C742C1254F73AA4E52D7213039DE,SHA256=A1F0D6DC26C1D1006A8913445F1E905C9DEF2BB1A0F4C72AEE3189138770B7B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:07.924{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6E9BA44C353F491521D9CF12390B17FC,SHA256=208569679DA7F821CE2C424FDD154A9C16A3AA212AE760299992ED732C23E988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:08.821{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AAC4B3007D540DD2176EB223B80E00F,SHA256=D01C8B1DAACCB98ABA143FF81F9AFD57D32484A9BF0D58CF78CD3EDC264FF479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:08.045{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7DB444C78E2471F1A978E47E36FDD4,SHA256=595449566433EC54527C3BF30DAD51A44058EF899F5751A354F66217A94E2BB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:09.939{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FB99B8B347C3CC9EAB9CA451EDB6138,SHA256=024483BDE36EB073E2989EE8A3AE43C116400F331E3D2D63525598C2EDAF023A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:09.162{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC42FC8D7831C9C533136A3444F180A,SHA256=43F1C3265870D57E3065D7883DF5061A2BAF43C4495E3AB6233E8312A9E88C29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:10.463{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1400-00000000DD02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:10.463{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1400-00000000DD02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:10.463{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1400-00000000DD02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:10.247{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB50D190B36152FBD2713BD9E974B206,SHA256=4E031CC1414640A8C11924DE87E36AAC392A60849890A5278D44B1B71E8AB6C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:07.240{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51679-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:11.348{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2991F88F9F5871DDA166AC4268EC22A4,SHA256=B85E2CD50B46FAD73BA0BA69B4B6987B34961D4BF12B92BE7E01BE7C790FA27F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:11.085{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=697952308DD19C1ED8F7BDEFB0E834FC,SHA256=7E3AB787DE5E82B0C4230E0A31D213080058EDC30C9B35FD1721E51BF9CBD2C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:10.329{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50462-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:12.465{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20568352F8E51D2DB4B0F0578F8F7718,SHA256=A7808C6AEEF50C8199D64FD6AF0979F22E81501BD800F795B63E7E8CC845BB15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:12.211{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E461F3F767BC5B4BADFA799F94318A9,SHA256=5171F9ABBD23C8F73C13634E97EDC3B248278F993989A53FBED3877F9195383F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:13.566{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0538DBD8679883AD0FADAD42278051E6,SHA256=3E711C7ECDF4B7861BEAC1FAA80F94E2CA0CAB0FD396C928137E37585DBDC932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:13.228{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14E584FA1F22A62743440DA132E85D29,SHA256=2327F0801884785436E6AFC5CDE57E61E68C753A5E05C3F8D47814A464F584D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:14.632{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D805574D238C95E90868E448E0F5986,SHA256=7BA4BB9B26670671973DC6ECE6DF9BB279EB83C245B19445703280DB8E97C9DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:14.329{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8743DF8F40C8144B92DD30C9A2C457B9,SHA256=D82875B505D7D321F3A715DB36A4E233E99E575A103D2C5FCA8D9BC05D521408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:15.733{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5566E1EAC764889E5139A1DDE08DFAF1,SHA256=2FA398887F24851F362EFD472E3159198B6022F84BF80222BF4E36E2B5F70EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:15.433{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C392778747706BF82948CB28F981E6,SHA256=D752E2F120D7BEC3E45D7C884F6361BA91AEC8866CAF40C10BFD0FC461E6B4F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:15.116{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A1B-6442-5E06-00000000DC02}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:15.116{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:15.116{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:15.116{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:15.116{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:15.116{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7A1B-6442-5E06-00000000DC02}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:15.116{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A1B-6442-5E06-00000000DC02}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:15.117{AF4EC832-7A1B-6442-5E06-00000000DC02}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:16.785{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7FAA16860F597E40DB8AE5BAF6C4CF3,SHA256=D94796381BDFB74C9A3F4A4DB95C4D872195F15C96511BA16528B608EE0A5D46,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:13.203{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51680-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:16.519{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6898BAB78255AC858192124CE655F588,SHA256=8A258DAEC7AA0E52E55B2EF80273D9D68ADFD486556C079F33F4D5371C8F8EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:16.149{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=833630622B849D4DCC35403E9F8BAAAC,SHA256=C2565F1ACFF9A74E36F3204D008CA4793043B491EA9D5CDDE67501F79396B9FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:17.917{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8DAEAFBC2748063794F0212C034D505,SHA256=4EC818964A23BA0DDB0F488C40F5B362257F6523180995E02C02383A70146E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.839{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-060MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.695{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A1D-6442-6006-00000000DC02}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.695{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.695{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.695{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.695{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.695{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7A1D-6442-6006-00000000DC02}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.695{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A1D-6442-6006-00000000DC02}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.696{AF4EC832-7A1D-6442-6006-00000000DC02}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.604{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B6F8D273717FD6A62439033C670A2D0,SHA256=B2F050C91A1AF904DCAC79B16D57AB3E712912D24C6D15F93F2528DA67B9A319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.551{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A22AE0984D4E296AF2B9FEEEE6EAE0A2,SHA256=607311E67AC3168FB716329E3EAF24719C67147D67D4B0DEB51E2B267FA18694,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.304{AF4EC832-7A1D-6442-5F06-00000000DC02}39404360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.104{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A1D-6442-5F06-00000000DC02}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.104{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.104{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.104{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.104{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.104{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7A1D-6442-5F06-00000000DC02}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.104{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A1D-6442-5F06-00000000DC02}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.105{AF4EC832-7A1D-6442-5F06-00000000DC02}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:18.987{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C1C3856B21CC6B3620B15C378EFD870,SHA256=60AA1B7380D3C158F6CD86E60A691AA8FBE78DE23572498594917538ECCE1617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:18.837{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-061MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:18.605{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054A639CACDD1FC8AD31DAFF1505CD57,SHA256=C6FEC928944A40107BC6A098E623C41863766217EC82CA8FAFE7B2E0515DB19F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:16.335{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50463-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000027858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:18.504{AF4EC832-7A1E-6442-6106-00000000DC02}65286524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:18.295{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A1E-6442-6106-00000000DC02}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:18.295{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:18.295{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:18.295{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:18.295{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:18.295{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7A1E-6442-6106-00000000DC02}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:18.295{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A1E-6442-6106-00000000DC02}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:18.297{AF4EC832-7A1E-6442-6106-00000000DC02}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.837{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A1F-6442-6306-00000000DC02}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.837{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.837{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.837{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7A1F-6442-6306-00000000DC02}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.837{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.837{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.837{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A1F-6442-6306-00000000DC02}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.839{AF4EC832-7A1F-6442-6306-00000000DC02}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.680{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F37D8F62F201114760A55E6C063DC8,SHA256=56688EDCD368CC0E41BC8D049EBC7418B360B368A33258BD49157DEE8F94F785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:19.403{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.481{AF4EC832-7A1F-6442-6206-00000000DC02}38126268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.272{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A1F-6442-6206-00000000DC02}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.270{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.270{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.270{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.270{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.270{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7A1F-6442-6206-00000000DC02}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.269{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A1F-6442-6206-00000000DC02}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.269{AF4EC832-7A1F-6442-6206-00000000DC02}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:20.783{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7855D5ABB8EBCAFEC17A6C2694221C3D,SHA256=0F26406B49CE1F4384B5114DC9A66E0C1688FC8F3A966B99CFBFA9B8613580FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:18.668{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50464-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000022751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:20.088{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F9D9449A13C940FDEFB09C1B63E74F1,SHA256=80777AA994E12659782191E94E020E7238E1D3DDD08B8F93658A65E3045C0E77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:20.338{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A20-6442-6406-00000000DC02}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:20.338{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:20.338{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:20.338{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:20.338{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:20.338{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7A20-6442-6406-00000000DC02}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:20.338{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A20-6442-6406-00000000DC02}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:20.341{AF4EC832-7A20-6442-6406-00000000DC02}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:20.072{AF4EC832-7A1F-6442-6306-00000000DC02}36405528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:21.815{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA4AEF7F4EBF9A12A112958BF522B1D,SHA256=1AB4F3C57D12229F4272147FA376BDD04B1B3A642A1A25E8178BB9951B933B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:21.189{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F22E41D38956008F0FB82D377DC1DC,SHA256=FC25C8EF70BD48AED12037614857BCA862BF998AA72AF57872C0B82384B2AB46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:22.859{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2576A73F79383EA75BD96B4C77563DF6,SHA256=97561480D5FC7B6CEDFB28122F97B2245B30A5423DE6AD64A6BD1D21075D380E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:22.306{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C09FC1998418A858DAEDE8FD10CCAE,SHA256=0EEB4578C159D42DE18DA9150C60AE31151F959143E67547608ADED824F4AE8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.185{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51681-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:23.883{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF8709DDE14C90A358F0E923735DD9F,SHA256=4B91436CA9A5160535027E84B1F61B6B825727B6264673CA78A6C6D34B217958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:23.391{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF47EEFDD7E3B30963E985848D3FA9DE,SHA256=28BF6677EB657E090FC7261D1C11B438A03158EBED7BD740B9E6A58E1EBBEC9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:24.958{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EEADF68B968A404A919740A01651FB9,SHA256=9CE368BC1CB4755DFF7F624C3919E8C775348F904007460E39C1A002EE501BF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:22.321{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50465-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:24.508{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D996564270A704F9A2CF46CE1F6F5208,SHA256=A6CCAD16E010002C5EBFBA563F52B7282E59DB42B0669B3F5952323447527FEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:25.624{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C699A994CD25ABA25EA1626EF68AC31,SHA256=200E30EFA3CDE8DDB8015D075519C9F42A11EF43C908012D61CA00D0BD0DF3B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:26.981{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-050MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:26.725{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A66313A3A7EA3CE9766048DE2352EE,SHA256=B44762DD892D8BAB1A2643EEC5147CE8B204962CB73932120EFAA3D94F9C9071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:26.013{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27CA97ED832A0760E05CBD186371F7A1,SHA256=0B2888344FD558BD121CCDEF9122354BE99B1CEF3BCF6EF77393B9072CF51DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:27.980{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-051MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:27.763{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44FA998395F997240D8053636126D456,SHA256=F3D10368EEEFB8B511B871D24C9C7BFE7AD493F7D90A1BD57630654F3413B693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:27.482{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:27.131{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB56BD7BA077620538ED59A6D7D56EBB,SHA256=7521EE37CBCB2AAFC1270F102D76F80895FF65CF0475D562118FFAAD5E7C006D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:27.463{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=341C42F751290D7E110D4DA030CF946C,SHA256=5B6449D9BD705A48A4BAFD6EE8FFB6EAF8DDC160BAF178F0453AAD5FEE771AA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:28.879{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90E82BDAA37F6C7EC3FE4F09FDDB504,SHA256=06B4A7A293BFB5DA81225EDDB2A3BAA55A49A334FB10D6969186751A03FF05CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:28.197{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58CC009E04642B13FC3A205062033B50,SHA256=1EB239C1BCDBC2A6A39996BDE327D7876BF131432DB9FE8727790AE2D3349DBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:29.996{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=922D5B1FC718CDE6230C70B0D0A6F18A,SHA256=50ADA6215A212EAB5E5FE112F6C1EF9752524E8AC3158D094A6700F46A093461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:29.256{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87572C17DC05E5C040D169DC1A4B6E4E,SHA256=C6B11CE18D6A5DD062A683D5D3397C34517C4EB3C0832405B96A3E4D243F5963,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:25.167{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51682-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:30.312{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92287B40C3FCEDBD30414CC8D2518645,SHA256=FCA04ABF55B03157F8F2E194DC891C2C5F4FBD1F36144CBDB65A973946A9032E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:30.280{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=47A87641245CD3748EDC0369F55AD765,SHA256=10DDFC3F915A19B83A49058E50876E01D2255F463B4290E82715E57F4EA6C50E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:27.522{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50466-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000027900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:25.558{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51683-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000027903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:31.329{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=365FEAAFA773BC060685671303C047E4,SHA256=CF04B23B0FEE03057AB3774646ED1D649C36E224D4A61F652EF74222DFAB4816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:31.113{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1A20ECA7C6FB60BF81812BDBBAC036,SHA256=759F48206C8C3CBE092A51A94D2DAD7083F60EA743BB0884E4F135D55213505F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:32.497{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F97AC157A2D8384998C3C7F7AFEF50,SHA256=FBA489DA7B5E7A15053A78DEA62D60B50A5CE0AC3C35478C76D560B7C78EDBD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:32.199{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC031A25D8273AF913C5B5876960B042,SHA256=B063F2A44C7DBA1D09A581627C4AB7164FABF7A4FA1A6CA31CC2CB541D03DE9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:33.656{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71BC67FA1882928E0AC9E969AD20D32,SHA256=79F0322E5E33DB70E988648796F090E196A23F890DC3E07C7C3F144100C8C4B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.268{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=537AA3A4886E705A26510AC15083E8AC,SHA256=A1FA257CEC3E35D98FD5E475BDBD67C9C798572CA4E81559422E5C8D72D0C5DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:34.570{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A23A7772734D086F343B5CED069CE36,SHA256=4FAA4A4A6CB6E9692E4532F3C1A8C56D2138A56DB3D4D14E35E4EB9890201F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:34.711{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A2D035973D01B2300A8E920B1EC31A,SHA256=DD76E24A95CDA6A7D7A0FC3BAA485F05B2DF28A5FC1504E17A80BAB4F40A9F2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.366{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50467-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:35.651{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF42A8DB94AFB0ECED9225EA029DE2E,SHA256=15EC8F7FC80DF3225D509EDEEEF0E8CFB5897670C5D93576D1C7164DA300F4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:35.729{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8FD850D87BA9761AA755987BE5FE70,SHA256=80C6E61B5F3731B17CFCB5657E7876C97FC2ECE9087392F0149051B87AB981A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:31.196{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51684-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:36.753{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC83BF157BE1DDAD5908E1884A78C9E,SHA256=58FBB94020D086A91B8A31C11C573569A89F81CA78448C293A50D6D370A07584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:36.894{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5034F196962B0BA9F2C562CE4D555A6B,SHA256=273FC5430BE93AD9C1737B8A526F02BAB0AFB66091AA9ABCCDCE51E94AED09B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:37.835{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001A9568B582566F9F504C67FDC0D618,SHA256=4EE75D6EA6A950C3F4559193117F7BC2A765B3F207A19E793A921806CF3A8F05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:38.907{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B1984A84636F9CCED142057533A720,SHA256=B6F0E6B9077BDEEEB287FCBA0C31EECFD1D22D0EDEC5B5E056BCB550C0F9AB38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:38.026{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0966A3C08AE089115C85985DE0C7025D,SHA256=59FB480EF9C831C0DED5F0C6E517B61C8765555821E84B8E5A3B2BFE9BE944F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:36.253{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51685-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:39.077{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EE1BF6EF517369933BB4DD630B9CAD,SHA256=6A51EA3374DC65314AB3DFB319BCF27E96B03D68D079E7EE2460D6C259D27A20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:40.008{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=949DD6A2595D5D448EC79B989524FDE3,SHA256=46F870971D77182F9206703DE22FFB8BB3F801CBF2C33E682CDA423D72CED548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:40.126{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75208F2A0E9CEC87761F9D6B9391237,SHA256=6E48A0EC7EA70363C0D5FE4764AF538388E3C23BAB51112A1F690CF288632F8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:41.109{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC928ECF13B2D1B035A6A735207D5D6,SHA256=DDFC7A97FA6F4BFFD0E871125CCB274716FBD1B3C99550F864CAD316707EA33A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:41.176{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6FFE81F4923F1BCC818F2A755B5F50,SHA256=97C7F67031FC28F5C8CD90CF00CE216C143391274E75578256DF1B32EC998FEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:38.434{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50468-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:42.194{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=776CECB5A0B399EB9279DDAD57EBC442,SHA256=4298EC3B491D434EBF2E1481A1FB450B1372E8523E794D2CB99DFE9915F57293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:42.307{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4F719753DCFE938E3875B2A7E70E24,SHA256=A8EAA31E25EE35623F5DCDA4D590AD74F63676EE6B005FEDD9A500E792B33333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:43.294{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE7EBFFAFE40899B5A21F928F78BD798,SHA256=DBB35168B7DFBBDC585A91B0CE0AD74FE3DF02B2B66D42FABC23F56D4BAC2751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:43.350{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F14E48AA1E88D6EF2259443203D820E,SHA256=8D093CF5406A2A1FBC85461D9C5637FE6A16EA7B579293B53950F567DFE75D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:44.406{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1620B864364D0462276A56CED7F948C8,SHA256=DA6FA52EA77C3B8BCFBF34E348D6263921960BE991763F90014D269DF2CC3823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:44.357{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B30C9D6DAF57E6F1A7B78027F5C2D92,SHA256=3E1C140E0AA376091ED9C6829C92B2E0049AFF620AB54D65F598F51CFC3F2224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:45.408{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164E2DCBFFADF743BFF3155EF874B101,SHA256=37FEA03478507B6EC76E7547F254E176254BB316C4B9931E2A113FD3BCDE6FE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:45.450{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB12E7413F8D56424FE21C6ED58C8FE9,SHA256=EF8AFE029D3E3FB3CE391842B1408D54EAA53CB4CEA1072EF256E725BA8DDBEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:41.320{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51686-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:46.556{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76975C28CC86AC4EB32C03434C74975,SHA256=3225DD53C4CA1A29CE9BF870D90EA6653BE814E77A109923A27E03EEA55FD6CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:46.505{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7DA54D3D2135D628DE455094D0B16E0,SHA256=4446C4418F0ADD15F585686C06490C3B15DC86909D61D9940458A90403900A56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:43.536{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50469-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:47.606{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05594DA452D21AD96E05D4D6C2776AB6,SHA256=E23F2D09A363DB9C83923DD6E55353472D848B2D87A71A92800BB3755495A9BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:47.604{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FA85E8033EE6B2D20CA97DE1359A3A53,SHA256=12829C2F0240C38D3E827EE166EBD06F6FFCD4249D3ED5CDDB3689437F0D3A17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:47.557{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F54313EBC6DB6BB0DD5407C787521E0,SHA256=B7B9ED5F434DF5BFAE74584E301EEE5BCF664F5F4F3491689135B3C18955A0B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:48.774{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6239DBBA9B997B02D86D1C14E5E7FE,SHA256=C0C69FB36E409B6E2443CD0793974A2EC9F3439E92A8A169BB2649597DD400F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:48.603{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53770469FBF84099FCE1550C2681D0A7,SHA256=18F92A0E3935D4BD33A6A8B26C7067BCE63505B873F3F11472EFE26709253415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:49.820{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=776FD1FD9E8E61464056DDF1144ACFBA,SHA256=0F369188B7FFCADA6C52BDA95F89C203FA89014E6E6FC731983FAE2961C9C9A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:49.671{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FE1B0EC873A4EBEC0D35C99528A9A8,SHA256=5B12F95086FE4989D789AD2C8237EC2170E7A39E9B3FC53D63AFFCB7E10737A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:50.888{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C2B174E4E4B27D3AC54D1F296A57831,SHA256=8957CF38E0B6534D71B48C74E6A0D2B652EA70DA3E08470B5584031304AECD8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:50.719{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7D5BB9DA7C60B805FD1FAA0F1EFEDA,SHA256=154235162ABE89F0A3022863A2684179E77937E4283A9BF6A0DFDEB81D30E725,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:50.604{223CB5FF-6DE2-6442-0D00-00000000DD02}7927048C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1500-00000000DD02}1104C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000027925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:47.169{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51687-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:51.819{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7541F3B7BBA3C1E1D72E5B7088771FF,SHA256=72DCF7C872DE2991430AAA8A13D368E100E70602C12B1C1E286522475DCC4B8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:49.468{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50470-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:52.901{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CB8286BF2CEA5E3D144295AD9A315F,SHA256=4BA5639E7363B53E6D67EF9025167514B7AA13E6CD0DC54054D63BDFF0EA8721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:52.003{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5277889BF3B6B6EE406BE19802CD487A,SHA256=5819541B84444E1E4FCC6CA764714962737E33C1E92C2ECD7BC537546B611967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:53.968{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF0A12D2A8FD6BEDAD12775965C26C6,SHA256=FBC7A916506B1D1CF74D72DED67DA8974CB29A67A0FB12CFAFD00AD4588A6C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:53.052{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=590C3529E6DC472F8177FA6CDB9EA5FC,SHA256=9A7C028984F62B19602F235C30A4DF5869E6BA733D7469A9F2A57AB9906D2333,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:51.853{223CB5FF-767E-6442-4F02-00000000DD02}3744C:\Program Files\Google\Chrome\Application\chrome.exeWIN-HOST-CTUS-A\Administratorudptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50425-false239.255.255.250-1900ssdp 23542300x800000000000000022823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:54.155{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758B759B63C9C78495C190C00ABE0860,SHA256=5F1949D39613F792D57DF4EBE1A6C74BB41333904391051D0D2D3557CE122AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:55.275{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=914DB88C9BF825553A80D3D3AC3DA1DC,SHA256=B19E764B5FB1B1EE9E30CF7D1767EB71FBBA477E66E92A68645FD7007C2596FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:55.043{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F6B109654E9EE6C3B05F38464CADC0,SHA256=9D113C137E119DFE0E404E5D1F53114E3B89C55AC4BACE66F3891A00E15F7793,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:56.356{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A44-6442-0E03-00000000DD02}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:56.355{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:56.355{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:56.354{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:56.354{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:56.354{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7A44-6442-0E03-00000000DD02}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:56.354{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A44-6442-0E03-00000000DD02}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:56.353{223CB5FF-7A44-6442-0E03-00000000DD02}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:56.337{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F5F4AB40B09921EA2E3CAE97FB3DDF,SHA256=E46957EF954618EBA677759A3A0B53EF1EAC531FBD9238AB48ED5283518CD2C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:52.197{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51688-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:56.067{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AED0C844BD8F4887D655A6A884BB62F,SHA256=92C2912877AB2BB76D1C312D1D420CDCC0BF2486C4B6E72BCE4816F4542C624E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.938{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A45-6442-1003-00000000DD02}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.938{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.938{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.938{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.938{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.938{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7A45-6442-1003-00000000DD02}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.938{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A45-6442-1003-00000000DD02}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.939{223CB5FF-7A45-6442-1003-00000000DD02}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.605{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E1854CBBDD5AF9563D6A50A57CA8A487,SHA256=735C7F7458D25B27CF8C6CB13EACA207E719B190A84AD4A5211E50776A8C05D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.459{223CB5FF-7A45-6442-0F03-00000000DD02}52683000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.421{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A1C3F8AA2E268B294B12EFE3D0077F7,SHA256=C6983864EF68E989552946F8AEF002A1D31DC42302917709B076A429D22A6D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.359{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7DE902052B7CFE256428B6AA869869D,SHA256=80895DD0C610552A91362B1E0038F3113A75C20DF6A0657CEC41F199084039E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.358{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5FFDBC69FFA32D291483325FCC2BB2,SHA256=050A1E69B318D59AEE338F3DD3C90D6852CE0939490B4E42961A19FB491E8D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:57.198{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A567165DD1D40BEFE0CECDECEED6CF,SHA256=F102469C130DCC761E9D0CB928B36B96E1DB302D2F088E15DA391632D7AD7B03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.256{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A45-6442-0F03-00000000DD02}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.254{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.254{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.253{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.253{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.253{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7A45-6442-0F03-00000000DD02}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.253{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A45-6442-0F03-00000000DD02}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.253{223CB5FF-7A45-6442-0F03-00000000DD02}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:58.775{223CB5FF-7A46-6442-1103-00000000DD02}29445248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000022865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:55.385{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50471-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000022864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:58.606{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A46-6442-1103-00000000DD02}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:58.606{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:58.606{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:58.606{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:58.606{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:58.606{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7A46-6442-1103-00000000DD02}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:58.606{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A46-6442-1103-00000000DD02}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:58.607{223CB5FF-7A46-6442-1103-00000000DD02}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:58.406{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D57C730DE558790EE63248A6CE01595,SHA256=592D5902D7044E0E427B6CE084F3CED2C19C1B6BEAC399D52C39A7BD2146D551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:58.251{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6E3BCBB475F10EB082411ED156A994,SHA256=31C9EA0C68CE6633CF2E84A2A5C7D37C24DCF03EA3EC86B835E94687087779CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:59.559{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3B218BAB09034120544BCB15B662C4,SHA256=F34DB558FCE0B705BDD48AD18408D8BDFFA09114167D498ECE16C5BD018D172A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:56.563{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51689-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:56.563{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51689-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000027936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:59.497{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDE6BE37613955E072EEA4FEABD137E3,SHA256=A6D92ED05714256F5ECA083A21445F7D5DF1A8EC1FABE51FFDD74CAC9B20BC34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:59.314{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=698DB9BD0868A69D45B301ED31E13FA5,SHA256=C4CBD00606CB026682ECBDDC769BE7F07BA786F1EC9242FFD342C85E109A0A6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:59.458{223CB5FF-7A47-6442-1203-00000000DD02}65685404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:59.290{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A47-6442-1203-00000000DD02}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:59.290{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:59.290{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:59.290{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:59.290{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:59.290{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7A47-6442-1203-00000000DD02}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:59.290{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A47-6442-1203-00000000DD02}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:59.291{223CB5FF-7A47-6442-1203-00000000DD02}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:00.962{223CB5FF-7A48-6442-1303-00000000DD02}24165312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:00.792{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A48-6442-1303-00000000DD02}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:00.792{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:00.792{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:00.792{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:00.792{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:00.792{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7A48-6442-1303-00000000DD02}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:00.792{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A48-6442-1303-00000000DD02}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:00.793{223CB5FF-7A48-6442-1303-00000000DD02}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:00.623{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8780F300917E282385207C8728B31AD1,SHA256=5739B412732EC15E6C6E930EECA859142B56B2DFBF7D0315B2CD9606D23F6DB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:00.365{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2BFE43FBDF6FE065D21259AD93A6483,SHA256=09454ED83BFEC789AE3AFF05D9EEED885F5E423E2F23A095B4A12FF3ACDAFC4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:01.740{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CD14EDCFD548D073CDFE136FCE6CAC,SHA256=C8A06A65D2A24FDBB45836C04B79458E31B6D1678BB85BCB29CA658B50D5B00E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:01.439{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E9FFD8A4F9C39E85258133666AAC9B,SHA256=2B04F8AA5871F5647EF47AA7EB50564CD514D9248570693E24CFBEF62E9D75D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:01.459{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A49-6442-1403-00000000DD02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:01.457{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:01.457{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:01.456{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:01.456{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:01.456{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7A49-6442-1403-00000000DD02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:01.456{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A49-6442-1403-00000000DD02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:01.456{223CB5FF-7A49-6442-1403-00000000DD02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:02.808{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153CAB01BFEA45791E32BCEF8EBBCA9A,SHA256=ECA4459BAB0A2488C231D857CF398E5C68F5261652010CA3E03FECFE673B7B3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:00.487{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50472-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000027942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:58.236{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51690-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:02.464{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD1007AABD10CE994ED072877CAE87CD,SHA256=BE46F433876EC3E0FF9B6F9D6317A1AEA440A33763B50556C17FE2F41244A2E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:03.857{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D1B897CC62DE3C7E19AA18F8294562,SHA256=93F6C1D2D4CC417C4460ADF92E759E5FB243E39B79EAB2EB55E754DFA7968A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:03.513{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F90BE5FCB96507109967406DB0EEBCE,SHA256=EA7CF8BA54A3C9D590C592CF3FC13E93EC02F526A86D33089B6B0A685D4B64AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:04.976{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A87E0FB6FFAF0496CFDFBEDCE144188,SHA256=67B676B81D05F25C2D54E6CAB87BABA7B56DADF93602D8EFACD4952AFAB40946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:04.564{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=575F644F9E89A45E67361927D75ECFDE,SHA256=205810EDF2559543073731FE22403E7E3AE04E3ACBD1BC0B200B9DCDBB3E08B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:05.696{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=297AABF930FF244377DF9878AE787807,SHA256=8608F8FC0971478EAECC5C3D96498212862DC9700367B38249885879A5D8212B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:06.740{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C5C2F78C4D4CFFD053716DAAEE223F,SHA256=125A32E6242FCC5EA1F456588D768E583C2867AC6B34845D3F9CCDD04C4926F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:06.122{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E9E06090B84568C63ADF51FD8D154A,SHA256=A443547117467E35BB01262BE12DEE80988AA58B268E00A9B6EEC4EF20C149C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:07.937{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D5C8FD4449083DB22F0B24D64EA005C1,SHA256=45514A5A924A07BCF20CEF694A5CC29A6D9046D428835B0C242CCE95D28B27CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:07.237{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63DBCE3586F0DD0BF012931786366A40,SHA256=88AB8E85D94EF37803DB8E73D00C2F63B0D74CA2F412AA3A3065BA93247C69FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:03.344{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51691-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:07.779{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91DF33CB44B139AC3DFFAA2D1A4E6F7F,SHA256=7F5746DA1980F9D6A5823AD643AD47EB10341D2B0DFDE67D60D6701C85735C13,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:06.469{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50473-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:08.375{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63FC03C0D840AA90727A3AFD2A22396F,SHA256=6F62F23A02ACB28C1B561D003347BFDF2A1E5DFB9A429B007A8B22479FB48E86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:08.813{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B0D25B05BFCA5D6025E7C89C86489F9,SHA256=1FA9BF9D1322E746FC288A8806B45FB0460F15DBFB545EE069B0EDC6B79AF6E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:09.506{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F5AED52E97FC3268333CF25763F87A8,SHA256=4AFAE641E33CB123B6F9AD4B36271ED3CF353C1EEDBDE91E5AA199CC768F873E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:09.878{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F536A5348A72FD0F512483B0902BBC7D,SHA256=1A7B63204468125BEA8558C168695ABA4C2F012C89D4448EF88318342D781602,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000022914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:58:09.105{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000022913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:58:09.105{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0030a195) 13241300x800000000000000022912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:58:09.105{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d97440-0x2845ddae) 13241300x800000000000000022911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:58:09.105{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d97448-0x8a0a45ae) 13241300x800000000000000022910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:58:09.105{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d97450-0xebceadae) 13241300x800000000000000022909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:58:09.105{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000022908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:58:09.105{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0030a195) 13241300x800000000000000022907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:58:09.105{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d97440-0x2845ddae) 13241300x800000000000000022906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:58:09.105{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d97448-0x8a0a45ae) 13241300x800000000000000022905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:58:09.105{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d97450-0xebceadae) 23542300x800000000000000027951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:10.937{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=631BC3A3AB3E38ABEB9E031C68F76100,SHA256=4289A29B572D96B6D4BC358109A03EAC16D7D5E5D7A138E43DC6C932375028D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:10.554{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=174ABD8A58C7BCA4B6AA115EEB5F2990,SHA256=0C04F9CDD53979218A852A5AD0B4A1481C0AC70B44CAB31EF399DF8EF51E2BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:11.992{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826BAF5EB24BAF82A4869B1721C4DC21,SHA256=ACC541F0187457628FE12C098E191960DE6B85C5FF778069C55A34F1897CECE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:11.589{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7EBA42BA33BED94E19E1299673F5FB,SHA256=2EFB5D9ACD76FF6C090F62909E4102EA6927D0449CA2B0F113EA630BD9C9E279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:12.635{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D802B45C137CE1DC5AC1E15E5E6EBF1C,SHA256=DC0663DFD44199DD472849920F352EF2868C478FCB1CD0E40B36EE757A916E0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:13.673{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCBB957F71ACE35404983666F38A758F,SHA256=CB5B1CA7D206A793965749E4A5DD5FCF61B95738F4BFD7ECBFAC88EAD5EB0889,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:09.103{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51692-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:13.161{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69A857BC5E771D8E293C8A525AC3F5E9,SHA256=722041D5E5130B3B5740EF688B0528AB79B853A39714F8A2D6188FAFE847AED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:13.061{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7884A121D9409C4ED1C4E9EBE9458F6A,SHA256=AC96F0935A6F1819FEDDE60C4EE59CF8274A3C34D30B8F522F6E49E0E1243DDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:14.803{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8084C956DE6BDA7EE305F7B6F9BAEA8F,SHA256=50B591AAC9DAD86580E2FFF168EFAF4998468095C2C42CE471C40EE89D711923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:14.110{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF1EBB6917E8276452806BDF8DA2B16,SHA256=ED1143DD2717BF739F90FDB611D33506B2F209DBF45CC4BD8F7E2E7DC7AFFC55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:15.951{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098942864545DAC1B96F96D061638BE5,SHA256=2E9E4576F0DB6FEBFC719BBF06560C485E657250EF42CACD247F5D41373BB02B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:12.433{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50474-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:15.210{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85B7D02F7D6FEDA9A42EF4D48660CFF,SHA256=E038D94C22C56629C430E4F4685B4C1C61EB9E65296FF088E1EAE0A445F24D75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:15.136{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A57-6442-6506-00000000DC02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:15.136{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:15.136{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:15.136{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:15.136{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:15.136{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7A57-6442-6506-00000000DC02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:15.136{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A57-6442-6506-00000000DC02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:15.136{AF4EC832-7A57-6442-6506-00000000DC02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:16.244{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCF16C91470FE2BE4EFEBA262E921669,SHA256=2629430CD31CD496E399DEE9B16767B2CD0C4758E98F2770499D9083B4ED0E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:17.002{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C25CEFB1F1D129D1F54D94E9F307E9,SHA256=F7A64925C9C49C9E19774089FFDE21B1B803796E8013F9B83D9C31251BBC28AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.809{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A59-6442-6706-00000000DC02}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.807{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.807{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.807{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.807{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.807{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7A59-6442-6706-00000000DC02}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.806{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A59-6442-6706-00000000DC02}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.806{AF4EC832-7A59-6442-6706-00000000DC02}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.334{AF4EC832-7A59-6442-6606-00000000DC02}16684160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.311{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B3752BF1D86800091686B96C142B56B,SHA256=31996028BDD58103C2F758A12B05700513A732D17B2B1CB4E6FD6406CAF54332,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.134{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A59-6442-6606-00000000DC02}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.134{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.134{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.134{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.134{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.134{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7A59-6442-6606-00000000DC02}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.134{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A59-6442-6606-00000000DC02}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.135{AF4EC832-7A59-6442-6606-00000000DC02}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:18.132{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7AE0D853BCA61550574A028E8EF9B96,SHA256=570C50712C2B66E9C8560635C185857BDA33D5628F5ED0AE0BEA30BF271158EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.642{AF4EC832-7A5A-6442-6806-00000000DC02}57684688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.473{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A5A-6442-6806-00000000DC02}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.473{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.473{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.473{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.473{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.473{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7A5A-6442-6806-00000000DC02}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.473{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A5A-6442-6806-00000000DC02}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.474{AF4EC832-7A5A-6442-6806-00000000DC02}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.389{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE7F11BF7BBF2371F9C923115CF2466B,SHA256=EF18BCD2A8DDFDEA8DA0D662BB5CC1C8C47288C5319C5FECA26C10A02A23018D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.258{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=201F218489342478713AD5BD8AA3E5E0,SHA256=5A6FAAE5C317A1FB8CB40542F84BB8ABEA5D6764C946A9E2C8B15A0069339C47,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:14.153{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51693-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.008{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9B1C4FBE4D15D0707582AFF0889EE148,SHA256=99A509F8248BF7E19C787A501AFEA9B70646DC5D5D2F350CF3ABD5448668EB79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:19.435{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:19.153{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4105634A41C2467C6386E18F14659938,SHA256=5E4FB642EAF8C404A20E8616551340143E7CAC54FDAB733868259140ABE7A48B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.957{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A5B-6442-6A06-00000000DC02}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.957{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.957{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.957{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.957{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.957{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7A5B-6442-6A06-00000000DC02}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.957{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A5B-6442-6A06-00000000DC02}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.958{AF4EC832-7A5B-6442-6A06-00000000DC02}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.558{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3ABE64940148733CE47E9E1089AF1AF,SHA256=FEDA4986AB92454243CFA0894EC7BD0F5981A99295DDE42307BA0AD0F5F93294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.376{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-061MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.273{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A5B-6442-6906-00000000DC02}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.273{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.273{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.273{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.273{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.273{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7A5B-6442-6906-00000000DC02}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.273{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A5B-6442-6906-00000000DC02}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.274{AF4EC832-7A5B-6442-6906-00000000DC02}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.817{AF4EC832-7A5C-6442-6B06-00000000DC02}14244148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.633{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A5C-6442-6B06-00000000DC02}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.633{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.633{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.633{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.633{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.633{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7A5C-6442-6B06-00000000DC02}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.633{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A5C-6442-6B06-00000000DC02}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.634{AF4EC832-7A5C-6442-6B06-00000000DC02}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.589{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861AB2B86453C7E192595A0AE18810F1,SHA256=8BCB355856C82F50222FBF527862237BFBFD66F8DDF2A9D182367811A3A5B5F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:17.480{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50475-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:20.218{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=174084A0900604F632C3E1764965F62A,SHA256=D6115713A965D35E4C87F8FDD321E4007FFDA69B104AD99BB09F66E10F9A8066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.390{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-062MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.142{AF4EC832-7A5B-6442-6A06-00000000DC02}43484860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:21.656{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22B34B2F07B3FCFF7D42E6CA6EC5415,SHA256=29953A61591C950202C9D47AEA00570EBB5E9C3784FADC935428BC7DDAFB698A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:18.698{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50476-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000022929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:21.252{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE6E233E2EF3F7A92481141C6C54E22,SHA256=E61A6AAF42112623541AE20ACA594644C871D3A699A2915F91C77EB321D0F01C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:22.704{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=555E51D2BE5866832BD553141D627398,SHA256=EF1FE6B371BF7B187459F6F972387A388FBD0D90B01CBA4B8A3295BD8DB5A475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:22.317{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61AC19A883560EA5D865582AE1D1C1F2,SHA256=6EA543DED18916BC04A56594D528A6D9B281335F9897AED0682494230DEED204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:23.350{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19508EDF7C944FA5D21DC933450039D8,SHA256=E7AC418DC1654AAC71BA9F728CC9FCD5F91AD34B846BBC097F496BFF2FF04B0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:23.786{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6844D5E4C2D2CB231CEE8199C43519FA,SHA256=2F23F16EA2813EC119E76169D0CF3B9439531F85AAF753C81978F111E7225193,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.350{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51694-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:24.838{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECCB30D8630DB69C83F6AD8FC86CCC8,SHA256=E52558C674618CD5A4C878B8E6EDE05A2817F6C4F0472B1704E7CCF6D7D15A4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:24.449{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E058910F822DAB5FC29A96E741442FA,SHA256=CFB4935AD2B029885751117B19BFBD8C34689146707F47B551DFBD17BCF3A3FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:25.548{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=289B3C54F25D3EDB003A07A36572C3B3,SHA256=C7439BEF24E6B471C3E86F1BD5F81D6C9AE94AE0524AE50F03C940B9635DBEC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:25.984{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8D088CE69B2765259A36079A53AB87,SHA256=0F03EDD47CA8333AA8FB2517DE4F2F693CC908407C2F633027402A6DB2F3B3D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:26.682{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC5EB747C32FE916174779638FBE22DC,SHA256=6F39BF2E1655782A0368C31E4FF58C1E4ECBA8BACEB483DF19AC245BDB51D6D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:23.394{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50477-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:27.729{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DD6EB9FD27765D54E3BE860C6C8252,SHA256=8C6CE9681F49E7497DFF27F1473564705E147E3382802B90CEDDFEF8B7E5F293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:27.667{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B9C197E7D8E399208AFED65371E4A617,SHA256=C637B2B765B676929B0B06DCA74498880140456BFF8A77342D057310979F34A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:27.536{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:27.002{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48199A5DA286D8E015DF9F681FB10470,SHA256=F2DDA9137EFFC425DB8D7745989CF5751A541321A60225EAED61AB5DC12E1B6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:28.846{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549192778FF3D9E69B0F79CCE3BEFF48,SHA256=2D7CDC4E0B9AC7C40863301EAD6D47E054A1C8C6AA881F42F9948A0D4C3D6307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:28.515{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-051MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:25.176{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51695-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:28.067{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B467F2E2A3B233BB49E5FE1E85DA7BA3,SHA256=03C028C085355F627194D69A9D20FE46CB01DE7E5071708DD9DC9EEDA899B81A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:29.868{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76BB5ADB9173C24559C1C8F4795F6BB,SHA256=EC770D1FF0F49F927C50139AB9F423287360AED6736B4683BB3135A6398AF17D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:29.529{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-052MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:25.591{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51696-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000028038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:29.100{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0FD8DC1E88F05992BD89B8999E685C2,SHA256=52D98F70E320B42FE8A1A10139A5D5D72DCFE40684FF02028E081D7131EC75E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:30.911{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265CD0961618ED57BA05A03E63A9E294,SHA256=520A677B717F73ACA0E1CDEE51D3F1655ADCE4FDE529E1A67FCA7A10102B0A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:30.298{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=58C5661C28D749548161CB046A34873E,SHA256=55A3C49EB6040A29E7C80B569562FD043F2ED05A888641386396F43A1D4B68CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:30.166{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C85A11FF213B750972C505D4C2CC8E45,SHA256=37695A1A8E9B0CA3B8B1337819F82C6C526B2C603961F3161DE874CF30A21BFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:29.391{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50478-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:31.228{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF57403481BE8015223D5D0F9878C5E1,SHA256=3D5D73353595547D2AD8DC3A24C74358DC87FA3CF50194E120D3365C766FA82D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:32.045{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1D781A0155081939EB1AA4A5EB6B4F,SHA256=69343E4A4CE5339CA28AB909A96906F9A300EACADCA4BB907B09CA602AA6E2F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:32.370{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA04972DB1C53DBF6174AD7D2B7DE84,SHA256=59962AFB17CB0511A59F0954C825D1B25D2C47BEB0139F389C593095BBE97DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:33.145{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CECFE12A4D59793885574DDEA53B473,SHA256=BC07406944A30C3E37DE2416D72B25B04EDABA4408154A28F8FB0879B6A42806,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:30.192{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51697-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:33.388{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F95D3E0FD0C540DB3A38B4EB5A9714,SHA256=E6131ECCC8C2D53C290D25CFA9ED2DA0D918464B30ADBF45CB2182E0EE403A45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:34.297{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937AEAF58F9725AD1FAE1955F2FCAC9F,SHA256=18F64AC38B4F69ECD9A7511B5424DEF85123E272E598B7C5461650CF4F7A5D87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:34.435{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB2E9045B8F896432131CCAB10DED718,SHA256=0D85A1C3AE076434A27C34F944F43081CB0B87F59A0DF79D49408EA4FF16A105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:35.328{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30579530C3124ECE754C3E6B7F7C1051,SHA256=621A323A04B5F8211C716A3DCB6E0E743B1C833F5BE7B6EAA9604D544526C1D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:35.462{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5837D23F24C4F559C3FE373DE1F83B90,SHA256=15AE02BD62237A26B8A4EFA55B7D482C28F44AF023D6820B2AB2C5AD7A3822D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:36.380{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B925B3E96C16CA5A12BCB08B92A079,SHA256=05DBF12726BD621ADACACCDCDCC29AEA2DAB0FABD7B482693CFC90355B12F762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.681{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=7A2CE573865FA13604F464664D10D4F7,SHA256=D86182BE75B71649C6692CF677986DA4897CA9CAFD875B69E0BDE1C2CB1495A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.512{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4244F2A7CDFB9A4744CBEB7A22C536A,SHA256=93C37BFB3C0C7EDFEF100E3332548F7FD1846BB80F82B3E609225D8AB2E2B524,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000022951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:34.423{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50479-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:37.411{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0584D474E5175601639F3A689646748,SHA256=1AFBA4239DB3821B0EA158F606C74218A8F322BE018EE3FDA0B4A3B850391A4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:37.598{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB800D90B6D1A66071B2D90E40563414,SHA256=5BC5C025BF5712570A189D46A7483593504FD48C7644A601DC3B2E3D90E117F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:38.544{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00DB78EA82DE81A1DEAAB30035E7FB16,SHA256=2E444B250446B10FB88C6694E7406DA4FA6C7DDACB65AA627070AF37424DD08A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:38.656{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4991A4927BA611226B926F788AD4E70,SHA256=BDC2992F58B3FA48A4668FEB710384269459B88A6B59459276F2E66F2252EED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:39.580{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98F5ECCD9771FC589B6E2B94343AB4C,SHA256=6DFCB8DD037C5B2907824B0945687B567874D2768D853E01E96582CF57D8D8D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:39.725{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BAFFACD4296764ADD89CA49F6574A8,SHA256=235924528BCA3DF3685FCD2BAC86ED964993624E283023ECFBE04AD0DB9DF38A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:35.696{AF4EC832-7353-6442-7A05-00000000DC02}4404C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51698-false142.250.191.138ord38s29-in-f10.1e100.net443https 354300x800000000000000028086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:35.679{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local55227- 354300x800000000000000028085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:35.677{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local59318-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 354300x800000000000000028084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:35.676{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local50567- 354300x800000000000000028083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:35.676{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local50567-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domain 23542300x800000000000000022954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:40.625{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156D09E06F654D50F6217A16EE2527DD,SHA256=5F21AB3018F2847BA28A0FB9EDB5F10E26F0902451075270D8DC4D724AA23017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.875{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=F56476896CB0E0F39F8016DE48E62A24,SHA256=593C36BE94EF0E888AB0326C95B85F0E34404765C57A8E513F181D044253DBD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.875{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=995083FA626030200A7A53FC1B1DE82E,SHA256=FCA236F398A72C71A53229D5866209B5E6C36764801A5090D9A14D5E020C50DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.875{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=74EDECE2EE5F9EB9FC2037D7791C86E1,SHA256=0D55DD8302D0F5090AE461D03B72434CE53B0151F73C77F7A777FE0F68AAB077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.875{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=B0272F5CF9F56F11C856155DC5F40BE1,SHA256=74AB81A1929A8806D559A13140947F076CABA52BF882364C416EF4D8E9B155F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.875{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=D8F98D218945F9117FDBB6C273E51F83,SHA256=5C13EA48846967F616E8267F519F3235E9016147D65100A6C1C2E6BCF7AA9D0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.875{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=7478A70F3DA82FC6E7FD1C1A52EE9B63,SHA256=114043A83802F8EFFE60EA4E27ABC1A12CF2DC6DC81857177FB23DD484CD607E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.859{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=418D1C0494366C1F24663260607128B1,SHA256=A4F2D9674AF92BCA8DDD6029CBB1C03AE309EF3DD09E4B4CD887AF5C6533C7AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.859{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=8DE809C096426850F0E591F69AF5979B,SHA256=274494D797A313FB8EFA2F5A82F160E186F1F36310186BC63E69256FEEC41A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=236B41BB6185C0BC2BA9245724E73BBF,SHA256=F4619D8820A61E0A9A187422DE0E97A8D21F63397848E1D61FE3177F8FB48186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\content-email-track-digest256.vlpsetMD5=36713723A0C0C8612D524929DC29C10D,SHA256=0508CC0A1113565117DCA5AE294B1B760BF3760FECCE2DCD301C8B7B0228E30D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\content-email-track-digest256.sbstoreMD5=2C126E7268C6F11692BE11629C2FF7C6,SHA256=1B96CEFEA79E6F74B64B76820FADE940636EB9F5CD4B35E65584C85B004989F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=AF32B9C2D675A714BD311805808AEC14,SHA256=7E3B35252F739A8E1469314A4FE3CF4B9AC906E0BBEA9F4E88F31F15C30B93DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=A5ABC81A6FE923E8DB43F979B10AD3BD,SHA256=B7CEA440E3ED079766AC192B672DF4DC17B36C740F9B17B32BBCB4E54AEF231E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\base-email-track-digest256.vlpsetMD5=180B597663D98AB1B5E09ED8EB61D6F4,SHA256=5A142D44D91F33D4EBD7AE81DA219C8EE0023BA8328DC2F5F1AC3FC2F8808314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\base-email-track-digest256.sbstoreMD5=97239BC16E55CC1B0BED952E65610EE1,SHA256=27F32FC0B6D03158284FB804569EA171CE99E7A08276B68C7E16B4BC254B67FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=00E12F637CA3DBDCD1700E797EAE9522,SHA256=5F22E3810F487A0ED1E1680C7CF9CC33749E409389B386BA367C00ACFCF5C4B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.835{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=88B44DC75B1D0E8B36B9BAFD82E73053,SHA256=6D7B3C150EA8E3DBD9FB4C521E5AFB2C7D9556BFF0BEAAA2661F3C3420AAA930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.835{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=EA8FC2B1E715FF5F0D99177063DEC900,SHA256=1D20EE535B3A5CC08F514B342B32398677B5CCA3C5E3F1CE5B74370B2361B688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.835{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=801B0CE649BB5EA80E92323DB6ED3A64,SHA256=4B7725D4DC97F1EF4A544E13CD559CE6A945B5DFF1C27A4CD0750E5D42C91FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.816{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=418D1C0494366C1F24663260607128B1,SHA256=A4F2D9674AF92BCA8DDD6029CBB1C03AE309EF3DD09E4B4CD887AF5C6533C7AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.807{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.790{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E230AF3E05340567340486CD1F8DEC54,SHA256=8D2540DF431A61FADAFB1B8ADE9672F523BF076395F92B90E5EF719D346167D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.710{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=A3D88DA7E3BCF05AA432D0F50F3FA577,SHA256=76131D066BE0A3254A20EE81685EB767E3C628520400195A57B5B06A68151276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.693{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.677{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=74EDECE2EE5F9EB9FC2037D7791C86E1,SHA256=0D55DD8302D0F5090AE461D03B72434CE53B0151F73C77F7A777FE0F68AAB077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.662{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.622{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=F56476896CB0E0F39F8016DE48E62A24,SHA256=593C36BE94EF0E888AB0326C95B85F0E34404765C57A8E513F181D044253DBD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.153{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51699-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.540{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:41.693{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\6chvkpgv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=86DA8CDB0F5F257F0BB7C9F4607A1C30,SHA256=77F68CF46DB5574105532181D1A808EF2BA1C437611B51D9EB4FAB757E891986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:41.663{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C640BFE9A66791E00E1F5AB13A398A,SHA256=8BD5A1BD5F87697A19DEFCFD3A95E6137127EC76AB8AE1D7FF4B1174E523AC6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.537{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=5747CA1E1576D458D3F6DC2484EC7417,SHA256=7DDB690294FD365660A3C1B9CBE9A094B156E9BB7508AD770431A50272C3F7CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=F2B926AE99C7939A916918AB01A33F2F,SHA256=8114D3A16DB469A3519C773AE2489F89778B212FDF73C6D7A15E98170F2DF4CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=527830308D13C74A6D66901E8A602A4B,SHA256=7FDC9CC74A44EAFBC50EAB63C55956EE93CB1066D2C36D71DB3A725AF969E751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=C1A9CF32AB5213A7036B4BD6AF156C66,SHA256=BA022FB6993ACC15C243F547A1542B35C0701CF108637C9ADD529BDC042993F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=D9447AE410C13A7A2072635FFCCE9A3B,SHA256=F32F8B9BC1F687AE70B46038251DE68480DA1605003803EFBA370236EDF57ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.018{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=A3D88DA7E3BCF05AA432D0F50F3FA577,SHA256=76131D066BE0A3254A20EE81685EB767E3C628520400195A57B5B06A68151276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.018{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=7674B07A44D9FF82FFC207994EC6BAC3,SHA256=F35BD1EB0ACB4559FE0C5EE2E98DCDF1A5C8E6A70DCAA01A74606F1EBA8CEA7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:42.792{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA7E2485EC18DE160F51C47F19528695,SHA256=5C1769B303D54ED3150CA620269712F2B9144AF88C471D9FDB1CDC9729C715AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:42.062{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A85D092471C6ABA3A9E046F2791C399,SHA256=21A16F8924B07CE188D995289C8C6BABD75ABA11AA1CED719198DFB30721C199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:43.864{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=875666FC0CE6E6AAF8DE4A930E2B45BD,SHA256=3C0BF53932E021EEA4B5386161C997814C60BAA0BCB4C90C02E797743731D1EC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:58:43.442{AF4EC832-6B63-6442-1200-00000000DC02}764C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d97448-0x9ec6962f) 23542300x800000000000000028139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:43.141{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B456D7C54B9D327567D12DF72D3EEF63,SHA256=835E31012E3585135B2E463553977E87C02E3CE89E01CF004E206A471AF714DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:44.928{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38CB8667A69699F897B8776337966093,SHA256=DED7D0ABAA760249EDC9D937B558C923CEA16421A12FEDFD2D1CF4A36E6F9434,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:44.124{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-767E-6442-4F02-00000000DD02}3744C:\Program Files\Google\Chrome\Application\chrome.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0ea0|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:44.108{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-767E-6442-4F02-00000000DD02}3744C:\Program Files\Google\Chrome\Application\chrome.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+bb490|C:\Windows\System32\SHELL32.dll+e0e5c|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:44.108{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-767E-6442-4F02-00000000DD02}3744C:\Program Files\Google\Chrome\Application\chrome.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e0e30|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:44.108{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-767E-6442-4F02-00000000DD02}3744C:\Program Files\Google\Chrome\Application\chrome.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12c9d9|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000022959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:40.341{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50480-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000028142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.186{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51700-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:44.183{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02125FADE052F44A9DC41989A74710C,SHA256=342BBA9C593B00B15948CC7B81CB6354C5EC3EC79DE2D38705DFA4880B42DDE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:45.201{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0675218A218C70B24653143CB5FD9CC0,SHA256=DCBAF20CB2360E9BDC6116E71DD9872F459C56DD10B4E1819B4727525BF1A719,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:46.709{223CB5FF-718D-6442-6A01-00000000DD02}35963148C:\Windows\Explorer.EXE{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+d30b0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801B85081E8)|UNKNOWN(FFFF864080E77DA8)|UNKNOWN(FFFF864080E77F27)|UNKNOWN(FFFF864080E725B1)|UNKNOWN(FFFF864080E73F7A)|UNKNOWN(FFFF864080E72236)|UNKNOWN(FFFFF801B8176D03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d690b|C:\Windows\System32\SHELL32.dll+11d7ba|C:\Windows\System32\SHCORE.dll+33fbd 10341000x800000000000000022967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:46.709{223CB5FF-718D-6442-6A01-00000000DD02}35963148C:\Windows\Explorer.EXE{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+d2b91|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801B85081E8)|UNKNOWN(FFFF864080E77DA8)|UNKNOWN(FFFF864080E77F27)|UNKNOWN(FFFF864080E725B1)|UNKNOWN(FFFF864080E73F7A)|UNKNOWN(FFFF864080E72236)|UNKNOWN(FFFFF801B8176D03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d690b|C:\Windows\System32\SHELL32.dll+11d7ba|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:46.709{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF31347f.TMPMD5=1F4BD192F37F455E666A6F524978A45F,SHA256=3DEDCE8C8A9850C8DCE400D84B20A73ED72ADA56B93AD8EDCC0D71F32CCC9E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:46.042{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65899FD8DA11F0EC5B9C8D6A2D3B97C8,SHA256=E262A221184A4A3487B29494B5CF25967914778EE489B078F161285CA7ABD9F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:46.249{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F62D9FCA326E13323E212AB2034813EF,SHA256=83BC07A5F473570591A13CF688506EA31EC8C4E5D8237290906B619EC12361D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:45.487{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50481-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000022970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:47.308{223CB5FF-6DE2-6442-0D00-00000000DD02}7927048C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1100-00000000DD02}968C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:47.108{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC1447737051E6FD15E4AF1ED7E4589,SHA256=AC32385A946A028BCA16605B5C7E44878E105FD8DE3FE7251E8DA7576EFD64D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:47.275{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2579FFE5D8B75790E9B41F01D577C139,SHA256=DE3FBFB975A38A27CDADD0AB9B46D9B9180F57C44E323477FBCC117A2E8EFDE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:47.206{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=915EDC31C0C7E11BF71E66FAC5E9FA56,SHA256=4D7B71B4FA63DC4AED881B3013581E8D38162F1E372B07B95F239FB570D25391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:48.142{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB85D57F5C0B3753BC61B2C3B5C6EFC,SHA256=270D30DBD0BC08BB14AD703CF983E2C26FF75FEF444D0FE5E54A968F15768A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:48.293{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C53F9C5251DAEBADF4A5ECB42929791D,SHA256=04B7C770462895FC37A44659E2FE8D73EB3B628F2528E225E824692C2F0E9FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:49.291{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3453C5ACF590124C8F9B6CC6D6357C89,SHA256=D2969A750A3B210B434EB202CB39291B822EB6FFCC8A9136B2ACC5815F4CF3CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:46.198{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51701-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:49.412{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508E08B3A1BEB1616E9CBF0C77B84654,SHA256=46A5DAD429D745E5EF6B45B289276DC157FEFCF436B5543FAEDD5215F9F966A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:50.340{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1CB9E86D4DC2153BD335A6F0B4FB1B5,SHA256=F69B7B9B0C002715BD87946627D3EB784ADE34FA358A15CA2A487A38E3FF5FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:50.433{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79A44B546D36CAC0131B5475E60E3F4,SHA256=EABEB373874FA05ECDF3BD47C59C445420525661BBCA3F42BC0BEBAAD645A0DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:51.390{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69CB23BEAF47EC3DEEF1AA25F36DFF56,SHA256=EB8615298599C3FC190B3EE363F7BA636569B813706DAD94C09637AABCB19016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:51.463{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D750D847A788C720290EAC7D6F72B3,SHA256=6670DC101903E67729A5C1F133FAC69F1B1D03BA853EB1437AFF29B5F50DCC76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:52.462{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3034FF83BE1D6A9DEE06D251E63E2EBD,SHA256=505F61C908ED29C0831752E93D44DDDAD42E739EE6B980012D092DFDCD5AD1EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:52.504{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BFB16A71898FF2763ACED03A53950F6,SHA256=11C79B6850D93C60068F50D84DC75CF6DC6C0131B718743B4AEE8D4FD1B390FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:53.493{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798F66BEB7E5CFA4E35AE2C34CA42981,SHA256=3B48E5904001883EBE87F67CA3E0E0E036E0C038A6152587ABDF1E94A58B033E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:53.540{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0F25A743BB40B610E675B9FCCD32FB,SHA256=516AAB03CF154A1A05471F5787767A4073BF60916BFB68094C74FB6DB65D2219,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:51.452{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50482-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:54.511{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5358844E6176AA4015AF915C902BFDFD,SHA256=5EB40FA5D741F71CC0FF6B52914B6DEAA63771E5648D7D2F84A2A855A42F5A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:54.570{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE498BC1C15F66A314F061CF2151A16,SHA256=1C856B380BBEF273009465CBE999984CE069FAD248F16E10927A35BF5631C0FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:55.568{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D727BF92D0826AC7E4F05E6D35C8F49A,SHA256=65D215F3A9CB596FA76E42EB8EFA57024EE36A1D5721B542BEB5BFF4497C8F1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:52.181{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51702-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:55.596{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8990F663328B67A71CE2A9567C528AA0,SHA256=F333F6F7AF35DDEA4F13BC63F327B3F523B8350388C7A04CF08E961AD8D431F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:56.616{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74C0587530C7488BB05DF601214257F,SHA256=6A92B5977328A9E33EBDD01A902CA8B1AC5A3C758ACB883E277D3D436E38332F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:56.615{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD49754218C1486F3B6A0E31F233E328,SHA256=B906C730CCD6EE30C9807C417D86FC23634ED1ACA97FA7040AE389296E037ABB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:56.352{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A80-6442-1503-00000000DD02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:56.350{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:56.350{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:56.350{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:56.350{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:56.350{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7A80-6442-1503-00000000DD02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:56.349{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A80-6442-1503-00000000DD02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:56.349{223CB5FF-7A80-6442-1503-00000000DD02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.935{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2285ED865E8D39176F9280C6904A9ED7,SHA256=44FC6011C3DD66D4E206E2C71C92A49D6469D869EEF2AFB05B4859EE106F305B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.874{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A81-6442-1703-00000000DD02}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.874{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.874{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.874{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.874{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.874{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7A81-6442-1703-00000000DD02}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.874{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A81-6442-1703-00000000DD02}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.875{223CB5FF-7A81-6442-1703-00000000DD02}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.634{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0355952A4BABCA187A771B804F118CD,SHA256=62DCED60994D783E5BF258B307088E01E85421F6B81D0C7AE1EC997B22D7C0D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:57.633{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E43BE2C764836C172F4DB8637BC03C,SHA256=B118971D96A73FCD66DA5A3A72D622B56432AE84751CF22F1B49FB7142757D0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.452{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A5E4D26F8ED1AC782EEC26B1EA3F617,SHA256=FD179F3437B35802A2CB840DBDD7BF7C2BCFBFFBE33124E88228937087BEC7CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.272{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A81-6442-1603-00000000DD02}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.272{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.272{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.272{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.272{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.272{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7A81-6442-1603-00000000DD02}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.272{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A81-6442-1603-00000000DD02}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.273{223CB5FF-7A81-6442-1603-00000000DD02}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:58.768{223CB5FF-7A82-6442-1803-00000000DD02}66403772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:58.668{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3967DB551F5C7C3C409A97F11A74E395,SHA256=909D638901039D85CAF7ED0F34E8F1D3C1312939ED5A80691B35449F53F997AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:58.652{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48B6DD4DCBBA96EEAF8A86A902A07E5,SHA256=D4B3B32485B35416B709077F651741038C0E04ED7201D18C4FF992F184BAB365,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:58.613{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A82-6442-1803-00000000DD02}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:58.613{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:58.613{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:58.613{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:58.613{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:58.613{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7A82-6442-1803-00000000DD02}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:58.613{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A82-6442-1803-00000000DD02}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:58.614{223CB5FF-7A82-6442-1803-00000000DD02}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:58.074{223CB5FF-7A81-6442-1703-00000000DD02}64526604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:59.818{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8EBC1AC41BA5A507E09971B7413BF19,SHA256=2964A6008D1B204C9ABAEF911B76FD73A8904DB63E0663D5994E4DDE9DBD077D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:59.783{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A98AC5C3FD9E5A272973DFC53AE15B,SHA256=679028FF317B31C1633BF0FEC803DF1BE5C9D091DC5A0300390E75B88C97EBBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:56.465{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50483-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000023028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:59.463{223CB5FF-7A83-6442-1903-00000000DD02}67166712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:59.285{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A83-6442-1903-00000000DD02}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:59.285{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:59.285{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:59.285{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:59.285{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:59.285{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7A83-6442-1903-00000000DD02}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:59.285{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A83-6442-1903-00000000DD02}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:59.286{223CB5FF-7A83-6442-1903-00000000DD02}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:59.583{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EDA01E8B987A3125E7466E5BC500C44,SHA256=AD0DEDDE2E22DAE33FB337A2360BE150B04A713CE2E34CC2CE2E55A425CF8BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:00.836{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC96B91C2ED3C2A5A0722A5B165ACA1,SHA256=ADFFA7827F0FA5E095057355CA3134641844DA03E3BDC6C2BB8CC0BC729432D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:00.821{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A84-6442-1A03-00000000DD02}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:00.821{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:00.821{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:00.821{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:00.821{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:00.821{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7A84-6442-1A03-00000000DD02}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:00.821{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A84-6442-1A03-00000000DD02}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:00.822{223CB5FF-7A84-6442-1A03-00000000DD02}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:00.810{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07AECD0F489DD9179C4B91DDDFAA141F,SHA256=8B2D7F843E6A83E7FD54771EC07DCF563206E14A30C87FFC431E8F8C9955A19F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:56.592{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51703-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000028162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:56.591{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51703-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000023049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:01.977{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E230101A120AB5F70E99A6BEA012C1,SHA256=3BB233B18AA59732E15A581C9B6B810263E8C6205F92834A2B06948AB78FF5BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:01.828{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E645D3BA9CAC1B4BA0856BA31D62402,SHA256=077D647600A2A53F27DDAC7FBDBBBA91DA33674CB67EF911EEE64E352BA6F07F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:01.322{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A85-6442-1B03-00000000DD02}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:01.322{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:01.322{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:01.322{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:01.322{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:01.322{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7A85-6442-1B03-00000000DD02}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:01.322{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A85-6442-1B03-00000000DD02}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:01.323{223CB5FF-7A85-6442-1B03-00000000DD02}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:01.037{223CB5FF-7A84-6442-1A03-00000000DD02}7088344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:02.846{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A380F849E737C4F78F23E1AE60B71E84,SHA256=E7CF0EB629115CE1A3EE161E4F5D2DDD0073D27511824210FC1FAB92CAEAD8D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:58.180{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51704-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:03.866{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD296039F0DE370518F51024B5242F77,SHA256=7D4114EE1BF6C961900EDE78CBD37EFBEBAC253CA110884F53E6B0EC141C0C57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:03.096{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD7B1743B58DD4896E40EC6FFA54182,SHA256=F1D76F42057805E153206323BDA3376C47D1FDE4F7559950DB428566DB155CFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:04.920{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B30852F5C4AB98114EDB7A4380DE197D,SHA256=11D5F3CED07AE386C3385C9A1DF8DC772F00E23403C4AB0B6A24D216FE0BA884,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:01.501{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50484-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:04.143{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96EF8202F56E1ED0B1C580B8BA245574,SHA256=4A4F4545676336A9DB6295B333624C02DFB1B5A68972366627970957635CCFB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:05.953{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55210F8BB532EBCC9460E802DAF60354,SHA256=01AFFD8EED97109E202FF0B6CFB866B509670EAF5057ED976017EDCF5ED419EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:05.262{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB5EAF1F7D238661CF107582D790C19,SHA256=9FD67BD03A54594E0FEBAF632BBDCD7083C1980F52797CC90082E6347EA8D020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:06.281{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94FD9CB27A809D5B65C2CE5AA87F1E0,SHA256=B53CDB18FC5E2B586C1F110875D010CC63213F67D5713D903364B8AA1D409A22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:07.953{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0407D0F5C9D50390F2EF7E2D099FF48E,SHA256=F282F44033ACEB963E2D44B64BC83A8AD9BF10F8D120A1E403A7F15E5BE3FEE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:07.306{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549534A7BD4ECCD40D66B2A802C3508B,SHA256=31D66FCF95CC17F74FEDEC5461ECFDB8E044A7EB60293D007948327FB923C6B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:04.109{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51705-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:07.073{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F6A196E694725F745A3D3E8FBA9052,SHA256=0070B6EDBA245122FB3B58880D5D3A22E8BF5E8ED8BE6FF2CA5ECC598565CA96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:08.438{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F27D16FBD5849C094DD1CBAB8B08D2,SHA256=FCDDCCCDCF971C6094B0672CFBAEA553BABD188BA7014232C168A58D06542710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:08.128{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43513C5F83663C822B74C5D97B03415A,SHA256=D305F61D4AD235342826A53F28E218AA2B7C0504DD037806AB471D28133A2B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:07.519{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50485-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:09.476{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=292664363A781CDC8E896B3C1C9501A2,SHA256=EF49BE230E89543D66D1BC8255BF2E3CBB420C892DCBC81E836538DE7E2A5DC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:09.146{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=661B1E5C1E367334EDC612283A2863A2,SHA256=912F6017B1873D37C7C58C245508545E904AECA1491171AC6670D45B31E469C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:10.517{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1599A61EB45CB0AB9155B152387EC96B,SHA256=9B3F4D5DFAF70398431D42193D1586F114AF04263630CAB90B90EA32D8B9F409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:10.210{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D075D2270D9A6C3926B5B147510A04CD,SHA256=C1ECB20D79250A1C1DA39D663086D9568D182A354AF9200D2351754BA8045419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:11.550{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2DBFDC6173FBC3CB14B1419D29B62E9,SHA256=1AD745E4204E4077A32666F0CCBF48A5B0B41E1F1F65FC3EFA4BFC7316981549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:11.236{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2AC67CA5C0BBE32160B9A16DA460E4,SHA256=78A4ECCB2EB158C4E4831B9677F8D75149A22786713E856EF6B0F1D226E2DF6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:12.568{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=339294ED127669F536A047427B960A34,SHA256=99BC79110521636723E8DA07283B59B047B1708A2A98A681118C534E02838BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:12.695{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\permissions.sqlite-journalMD5=66A8461DF57C495087F7FF985E7ABE1C,SHA256=C3ED588F127FE7AC04633826E3B246B9B82954E7AD7D0E9EAD6A422F01DA4AB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:12.254{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B994E8DF6E9C3A4B739FE34853EC8F39,SHA256=E034030E1EB70CC2B697F96A863C6247C6D070E77012F0DA0416872665F96EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:13.686{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C64CD9CC10DF2F02FCE87B541D258E,SHA256=BE685535BA1FE74F956085DF7FCE4F43FE6484F9432F9D01F2889CD4B288A254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:13.272{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C017D6AE2D5E84B443D7CDEDF2C4666E,SHA256=5F5A68EEB17B72E3150FF0C1D016C23B09EAE33633D395BBFFF4721A562ACDE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:09.298{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51706-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:14.706{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A07DBE6A8CDE82B7D2C09B03D7DEB181,SHA256=4AC3747ED3115CD53D709D2A633C45489098221C9D2983E5B898DBFE68A14253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:14.393{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A2CD19525513D9D3E6B95BA7E0EC9E,SHA256=CA1944028E53EA2E1A5D7C337E91B8EBCF5A21DA898BBB49AC465555004231FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:15.831{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5A8B3F41266BB0548729539A3F9CFF,SHA256=BA95BBBA3E13FDCADBB3325B5CA170CCF712D8EE0A00B438E98E29E19530633C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:15.462{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BCD7B681D990879AF722C689D441CBF,SHA256=2170233F02D9DB4C1297CE348C152D0A640EB69559357BB068A483893D23BF55,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:13.280{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50486-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000028189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:15.145{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A93-6442-6C06-00000000DC02}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:15.145{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:15.145{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:15.145{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:15.145{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:15.145{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7A93-6442-6C06-00000000DC02}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:15.145{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A93-6442-6C06-00000000DC02}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:15.146{AF4EC832-7A93-6442-6C06-00000000DC02}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:16.895{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF0CFBCEC646046ED671D39CD082E94,SHA256=5E0F17B3FEEF4E4A18DE8CAE64593BBF821028BF76772CDE75FEE745FC096492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:16.498{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D67181299FA7D37C8DFF8CD35400070,SHA256=701AFA75370458038FF1C7FE2D12E10000F5398D7379B2566810D33D6CFA2767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:16.196{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=550E1459D73659A4091000D0259EBADF,SHA256=7FDB4C79E8862168DDBE68D28020440DE330069EC3B8D83E324E52499FA26352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:17.914{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C729FE8E6E676240AD1613743C9DDAD9,SHA256=615A5843921746079240505084CFB1055E7B1DF58EFDF0225C5055D1131BD377,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.703{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A95-6442-6E06-00000000DC02}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.701{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.701{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.701{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.701{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.701{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7A95-6442-6E06-00000000DC02}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.700{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A95-6442-6E06-00000000DC02}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.700{AF4EC832-7A95-6442-6E06-00000000DC02}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.667{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E718863847575279E229B194B910A490,SHA256=65AAB545C37404B5AAC8261C8DF208B0C7DD4B357DEF6A6ECF433184681EC2F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.551{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BE6E9CE5B080FE5C83001A66A84A52,SHA256=E4F9A47EEE02B5FF2A7C03139F035A1712CA0E29004543BAB86E92800EF8949C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.327{AF4EC832-7A95-6442-6D06-00000000DC02}57285556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.150{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A95-6442-6D06-00000000DC02}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.150{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.150{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.150{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.150{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.150{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7A95-6442-6D06-00000000DC02}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.150{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A95-6442-6D06-00000000DC02}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.151{AF4EC832-7A95-6442-6D06-00000000DC02}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:18.939{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DEB9A616ADEFD3356DBAE57A995AFBF,SHA256=421502D5E19F9B6B54D5807F349663B05CF2F947EB54A5297B4EABF7C5987EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:18.585{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313214733C0F311717377C64BCC03DD2,SHA256=C08D504E943813E6DDFF53DE9C5A4E8BF2A73FA8832B245ECF856FA8EDDC32D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:18.503{AF4EC832-7A96-6442-6F06-00000000DC02}42006840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:18.329{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A96-6442-6F06-00000000DC02}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:18.329{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:18.329{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:18.329{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:18.329{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:18.329{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7A96-6442-6F06-00000000DC02}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:18.329{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A96-6442-6F06-00000000DC02}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:18.330{AF4EC832-7A96-6442-6F06-00000000DC02}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:19.971{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1290E65371A3142D82C0A3892092D0A4,SHA256=9194012B988AA8212F1F7799A4C1876761165D9ADD56AB4310B657397E698CC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.957{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A97-6442-7106-00000000DC02}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.957{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.957{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.957{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.957{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.957{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7A97-6442-7106-00000000DC02}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.957{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A97-6442-7106-00000000DC02}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.957{AF4EC832-7A97-6442-7106-00000000DC02}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.632{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C3DB0D1860AB5DFDB738654090AE48,SHA256=990E82E0679EC5AB572C609D119F6F34FE189BD2DBFD9F95E1E4BDE6A6E53863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:19.454{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.455{AF4EC832-7A97-6442-7006-00000000DC02}52921384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.287{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A97-6442-7006-00000000DC02}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.287{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.287{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.287{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.287{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.287{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7A97-6442-7006-00000000DC02}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.287{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A97-6442-7006-00000000DC02}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.287{AF4EC832-7A97-6442-7006-00000000DC02}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000028222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:15.219{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51707-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.942{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-062MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.743{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC118E2335A7F6B9557900A5C1CD049E,SHA256=946B8FE132D2C53F4D4C6A7F432FBE3B78A523A427ADE4FB953DD086D025F952,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:18.416{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50487-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000028249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.616{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A98-6442-7206-00000000DC02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.614{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.614{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.614{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.614{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.613{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7A98-6442-7206-00000000DC02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.613{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A98-6442-7206-00000000DC02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.612{AF4EC832-7A98-6442-7206-00000000DC02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.173{AF4EC832-7A97-6442-7106-00000000DC02}46644596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:21.939{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-063MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:21.777{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305FD66487E3D5B72FA15E9452052766,SHA256=D7A105745FF83E29933BFB5965A026FD482E9C5465E69C3E7BFB31E2B9851A28,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:18.717{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50488-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000023073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:21.022{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AE6548A9357DF63EEBA3CDB6304B0E5,SHA256=B2576E351274E13D6EBE2B8A5B75820FFC461AD84BC888593B6B6CD980A5B82E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:22.045{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D0906B7235D97B1D65CC1A97592DA66,SHA256=5167A1F079136BD269D967B4D327E1D3237AD90C68B2C75C1836C663643F6930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:22.878{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7465CABB1D938EEB60D25FA2DF0352CE,SHA256=2F23B6840D7FADA5502709CC8574B48B1EF723A0123C407EB8E8C9A0B1CACFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:22.593{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\datareporting\session-state.jsonMD5=F7C7690B87A08A37277D23B1B793E325,SHA256=7FD003308122FEEDB7B9B7E5497315FC2DDD243FE97EDF70A50B58EDECE3C5FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:23.193{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A07E6BB724577EB2AABC5EB81F0FFC4,SHA256=65947247BEADB963366A65E4456C138953AB104CB65BF9DBD1FA655697C486F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.681{AF4EC832-7353-6442-7A05-00000000DC02}4404C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51709-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x800000000000000028260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.669{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local52198- 354300x800000000000000028259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.668{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local49505- 354300x800000000000000028258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.666{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local64087- 354300x800000000000000028257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.222{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51708-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:23.916{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AB928D40B2061134735B869B5C1344,SHA256=E3DF81EDAE4B794A4E2DE0591F702A8446172755D30597CC2390BD306B3F2E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:24.970{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB3252D59C06551CC8ED9B294620A1F,SHA256=1B8AD7CDB5CE6630C4CD4EB613FE325A7456F498BF9BA9F76EAA5E93B8912F9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:24.329{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57339B29F0040AC070777AC6BF86D425,SHA256=DAE9E20D2BAE9AD742E038D06B56A65FBCFD9E27243BC5041DE7CDBC26FFDD24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:25.988{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59590A619D71D3374B5D7B023084170E,SHA256=8FFB049D3C96C09822263C20D42712CF323C7960A0ED7285B03518B4FC241164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:25.355{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F93DF72C4FFC66FF703A73AD2304380,SHA256=E849A7CA5239C853065B1E9513E5FF0D3A91A3C8EA19DD782994EC8EC6E7BB62,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:24.432{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50489-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:26.393{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4BF9EB8EB8947EA1AEA4F3DD0A0565,SHA256=84679E81CB688A264D51E87EE5C1130F424222562D31417D76774AEA47687306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:27.412{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31194F494E7000B737DD625034004910,SHA256=0A039FDFF215AFB9AF159FD979C977BBC9B1A892078AC2FA38AEDEEEB8772028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:27.576{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:27.023{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C23D149B627643BD124794881BDC93B9,SHA256=EF8961D0D383203D49B91C0A8D86091EBF1B85295D10E97798FFDD411CFDE2E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:27.380{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\6chvkpgv.default-release\datareporting\session-state.jsonMD5=CEE2DCBD31ED0A3326BFB6E3062FEAF1,SHA256=2E9D4487ADF5EA4B54582646586745EDBC12264F38E66B7E5730F33B008C6CBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:26.675{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50490-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x800000000000000023086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:26.662{223CB5FF-6DE2-6442-1600-00000000DD02}1236C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal58955-false10.0.1.14ip-10-0-1-14.us-east-2.compute.internal53domain 354300x800000000000000023085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:26.661{223CB5FF-6DE2-6442-1600-00000000DD02}1236C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9810:1e90:8186:ffff-58955-truea00:10e:4100:4300:2000:4c00:6100:7900-53domain 23542300x800000000000000023084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:28.430{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A04EFCF7F69AC57FD02EC0DDF9BA22,SHA256=BBBEDA09CCFD4774ADF1592EDDB1EF2F4396A2AD292E426923587A8BFEA83FF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:28.054{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8967B2E257352AB959EA6035346BF613,SHA256=1B22EC4E0E0EE8321E281137661C13C02DA74AD915C4221A4331310B359DD080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:28.398{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B58F6450B414464869D957E969628D37,SHA256=F9F3E12579F5F319683DB229C3E980655F36D2BCB78CE940189B4BA8A1D58C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:29.451{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6040AD53CDA613613E2197836964FB,SHA256=1CDCC32475EA997CA1C265192BC07E4E03B9543AE1F7011B928368EC5D69C316,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:25.783{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal54287- 354300x800000000000000028271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:25.782{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal57742- 354300x800000000000000028270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:25.781{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal58955- 354300x800000000000000028269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:25.635{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51711-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000028268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:25.234{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51710-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:29.095{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C8FC7D21CED313B1022421964D1B79,SHA256=CCC13CBC7949912319D70E5A5B8E88562DA274883CE11600470DD3F751A33DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:30.504{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E3273CCD658007FBD764C4B02EFD327,SHA256=AAB93D660A44AFF085B9F10B75FE5A69F2B8082976D81152EB9C8A292FC29515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:30.313{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6972B14D0710C16939D53A8EAA9F5F49,SHA256=4270085D345286D170EEF1EB67CAFA181F9F92BDBBB5509C3CE05812B696BA9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:30.113{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF92C452F170DDC49754F10E19676AC,SHA256=19FE94E839B36A2340FEF25C9B8B72D5BB8C173706CDAF160B4D4CB7D15E0374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:30.052{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-052MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:31.622{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BD91BEB0B57E5BA671507EAC3E0273A,SHA256=787B5718269DD2A284AA013968F2FC0A438AE9478E5D5D2A291418EA609DE491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:31.161{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93740D876DA7D5E73B5B5E78DF6C3D6D,SHA256=E7910FB3CADD77E38C5A3114901D3301622D5D34315DEEE14C4C226AB6CCD824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:31.053{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-053MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:32.740{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A504691DE5D86C9C54618A442F807CAA,SHA256=DD593EE37E7F738A836BF0FAE3FCABADE22CF3B17876E2F92DC88F9B3AB3BC27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:32.187{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F161A78748F4CBFEAFE1E2B7430991D9,SHA256=008BA1EB3BF74208FC8BFCF2A3A5551BED15FFC6920BA61B4FD8239A92CAB0A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:33.781{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC5361888D7C0AD7438B19ABF03BE53,SHA256=C20E2248C09D089B0ED0397F13191C37E675CEE42B15AE36916AB50CFCBE4CD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:33.305{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5070C097D9DF6F74816C7BCC9407B4C,SHA256=246E9CD10305B12522A960AE4F1B55187319930A422D230D92D1E81803EE0C9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:30.282{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50491-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:34.814{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A3DF25B3D9A523272B7B8318BBA1339,SHA256=C6D239ACAFB8C6EEE242395BBDB798D49F0111E0F53E7BF2E8A6DD995E54BA2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:34.368{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA341539A305BA721A55640A8D776BAC,SHA256=5FF2F2293EBF31FCF6B326EACAE5A6F902996F15829D6D264F768E0ABBC990A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:30.319{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51712-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:35.832{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA9B72A3A919FEFA71C69ED093E1A49,SHA256=1C3A3141179D443E3EEFB8E1254EC54F66B667E27C7833F5DA57F15D6FB4D054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:35.410{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B43AD020E06A4779CDC66A48D70C3E,SHA256=2022E9EEB629CC6B8C8BF25736FF8D0491959215058A5C2DE650A1382A3D9DA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:36.868{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861A77C0BAD1123BCDD69226EC59431B,SHA256=AFB8404689EDBBB4DB94EF765C730E73B70162C93E762CA4C129980715CE4AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:36.446{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E61BF22FFA30AC5046D81BE594A41B4E,SHA256=6D205CF4EB34D1D102E992E3E9D86325782509D8369C07710ED0812144173C2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:36.347{AF4EC832-6B63-6442-1400-00000000DC02}10641404C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:37.923{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597763210BCE537979270F62A74EB26D,SHA256=F1823D267D56A89EACBF4DEAE1DD7EB59C6E5EE95B15ABB867448B5FB900493D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:37.576{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4345294BD12E05F800A3EAF5EDD1D2D,SHA256=4B87AAA2DA72E790CA8405897F0138B1E3F2D5188B3B906CCF37EB6EF350D841,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:37.506{223CB5FF-718D-6442-6A01-00000000DD02}35964380C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0815|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:37.506{223CB5FF-718D-6442-6A01-00000000DD02}35964380C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e072e|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:37.505{223CB5FF-718D-6442-6A01-00000000DD02}35964380C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e06f7|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:37.492{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0ea0|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:37.492{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+bb490|C:\Windows\System32\SHELL32.dll+e0e5c|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:37.492{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e0e30|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:37.492{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12c9d9|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:38.957{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442C6B875FF16BDF3DCEFD3843CB9B08,SHA256=EC7D8FC2A29BA850B3BA772803ADDB0D55AEB8C3883CD35AE7D23C0DEF905247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:38.602{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C05273469F7288EAC6805D859F807BC,SHA256=085A23BC4F6C7835062B0F5C035930845B9027D39A8F67A94E34BF35157792B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:35.444{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50492-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:39.976{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F164631F6F0A8EE79E56A225A4F216A,SHA256=2017F89F5EC5BC1138FB96565E276AA368AFDCBA4C38FF73D1CFC1C87B687898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:39.719{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9CDEE2C8B7657C55934C966DB3175A,SHA256=CAB7025D4CF7ED1DA283591DBB0E461B4AA0951604384019093F722B48620D20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:40.781{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8865308F370E63F679559646E397E9,SHA256=9E71729499491E25D266B891627CBB55B7A51A381061241B361E7F8C9B307CFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:36.313{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51713-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:41.837{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4E9B7E509371816E0059B31E7E5FEE,SHA256=EB386FD1F57800575789EAA4F9CFD0B73E7FBFA5AAF92D79B1EE2902221162FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:41.000{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C255A8EF481923099D6E86E111649D,SHA256=48B97B1BE928848EDD88A9A698437CEE12B0FD1E270862CDA36DCE3E51BB9C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:42.907{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69B4E48C7336E3AB77950B8DC66A07A,SHA256=5D2CE374A0542FCEA9A00A4770E7F5C971B9DCBB3CEDC0567F4FABA419FE067D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:42.064{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7934FB768B88D65830244574B2F42C42,SHA256=D03AB8E4447E208C4A5053DD446A6BF52BB1413F0E53505FC9EC3EAE738B3C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:43.956{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3613A0626D4462E03BC3C4F2FB479A47,SHA256=CBD6250D2C5D5D76F807327095A4B2BC6C580C8061E7D6CDC1FCC463BA80A3B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:43.183{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51DF95D11754D1358F1A029D7D6D6771,SHA256=36BD21DB13181EA1A86DA6E10A79178E4BEA049DEF31FDC480E4B4705404801E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:44.207{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E15F6B8A22F3A9B3B200BD854ED2EE87,SHA256=422929EAC3A2AF73E526C8E5515BD2C19E077ECBE1B82B7A181259BDA5711E88,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:41.359{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50493-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:45.356{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD92092B69B89B8B101F1EC054E0B56,SHA256=A7E607FF01C259354FC4E08A43BF7EA6E21EF1825526A3DD532113FE9706120B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:42.319{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51714-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:45.057{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BDC6CFF8EE4566213AFDB78F1C206B2,SHA256=2CD79BD9DB007C444F91DD6011557BB7BCFB94633D2A54ECDF28226A5CDC6EBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:46.713{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\6chvkpgv.default-release\datareporting\aborted-session-pingMD5=F1FA3D78ABCC8DB31FE7760FD8F41BA4,SHA256=210C1D400D3566641E6281BF056DCC6433D579BEB6FCC406B99E8FC7FC087E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:46.391{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=692839B502BC12194193946D7F632277,SHA256=7AFF33C6A490B5F82F1E882AB1B4AFB66237F08D4F069B32D6F0F1163D298D99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:46.187{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1971024AF2315F23452B2BB34ACA278,SHA256=93F11D697B225151D350B026B6554745ED634502F963ED3783344CE6E5162B70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:47.515{223CB5FF-767E-6442-4F02-00000000DD02}3744WIN-HOST-CTUS-A\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF32220b.TMPMD5=169703CC3B6B2009034671FF016B62F5,SHA256=565B478F9B79FAB56C7E23BE4404BB4001A1E30C0B3A073F7B4A437CB9236C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:47.415{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=644B7FA3105670F96695B742B3BAD69E,SHA256=303E023BB7692A7A0A7EF7623FDCAB3581A74F846EEAED08A6DD8920FCD12569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:47.943{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0F14058DBC0199073A967A006EA7FD7D,SHA256=FDEDC667A660555BA8E091B3CED6C2E1025F14701C92DE3951FCAA8D4461602A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:47.227{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E234EE0F6B2B451A013E9762B994F9CB,SHA256=5DBE92E7419409DE666CE09A10001835923D749D95429A3478AE406779E90CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:48.463{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C9BCBCC4D4C56DE0CD4375AFDFAFE5,SHA256=2DE41C868B43E753E02F223C98213AF1741F0200AD281AF5DE87472F22F82C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:48.361{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3557BA2DD6D62C750AF175FF3506E8,SHA256=2ED2EBDE861DAB5ABEC1E90496E3A07B27EDD31F525D0E3697DC517484C15C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:49.481{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDE9A29F2670B039371C01703EA1031,SHA256=DC673369C0BB7E1C33588CAAE29B625049A340A855F43F0510B4DCCBC2258A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:49.413{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B4D4BFC88DAC8BAF6E253708A2FC5D,SHA256=F2E0D591F198008DB652D5328FF5BE2F14E41AC8CE8A831B79398886F0AFBABD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:46.468{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50494-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:50.512{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E1BADAB5039E4596C1907829CB7A0D,SHA256=1B699A78CFA5EDF30DEDAE8F2AE62E16235D88A30F46D26AE9C2DDE16C3F28B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:50.463{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FCA429E2B23DD0903A461CC4A6EE4A,SHA256=D1B284DD689BBA7172B765441FA8453CB586D9216D63FD90F08C45865211B653,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:59:50.130{AF4EC832-6B63-6442-1200-00000000DC02}764C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d97448-0xc6865cd9) 23542300x800000000000000023125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:51.557{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F318AA605954430BD29FE094770C2B77,SHA256=A0B2B0539FA419242D2744364FA540CA353C3DF0A13C1510BA4CDB5561F87482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:51.600{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5717F2146FF1BE8330E914A93283DF8D,SHA256=99863732DA761BED6B95CD2E88EE8F6F8ABD3DC115FC72150B7930675526734B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:48.153{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal58975- 354300x800000000000000028300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:48.152{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal60814- 354300x800000000000000023124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:49.051{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50495-false142.250.191.138ord38s29-in-f10.1e100.net443https 23542300x800000000000000023157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.981{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=EDFA4783EBE475E24CD9BCDFDA6CFECA,SHA256=1A303432FE6B58498D932E2F7720256146A089952F3C88A464B5FEF954FF1F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.981{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=995083FA626030200A7A53FC1B1DE82E,SHA256=FCA236F398A72C71A53229D5866209B5E6C36764801A5090D9A14D5E020C50DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.981{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=B634871D36EA6DDE1D13CB431C17706F,SHA256=B7C6CD75C84EA6B95CD0F12DE699831241F671368BA886F23C6F86C8D0EC2608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.981{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=B0272F5CF9F56F11C856155DC5F40BE1,SHA256=74AB81A1929A8806D559A13140947F076CABA52BF882364C416EF4D8E9B155F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.981{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=24D421EB8B0AC0D6A5FC2F54C1D8E3C4,SHA256=C0F9F7BC3CA0A9838A21E4A4779F0035FB9362E5D0668D14F5E79E9AEF87CDD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.981{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=7478A70F3DA82FC6E7FD1C1A52EE9B63,SHA256=114043A83802F8EFFE60EA4E27ABC1A12CF2DC6DC81857177FB23DD484CD607E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.965{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=0A5AEF59E1E9FEBABD7684A17D9F5711,SHA256=672DEE7072F009217B8D0219D469C7DED61E3CD95785AD4FC76F29AC1A2A7A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.965{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.965{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.964{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=8DE809C096426850F0E591F69AF5979B,SHA256=274494D797A313FB8EFA2F5A82F160E186F1F36310186BC63E69256FEEC41A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.964{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=236B41BB6185C0BC2BA9245724E73BBF,SHA256=F4619D8820A61E0A9A187422DE0E97A8D21F63397848E1D61FE3177F8FB48186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.963{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\content-email-track-digest256.vlpsetMD5=36713723A0C0C8612D524929DC29C10D,SHA256=0508CC0A1113565117DCA5AE294B1B760BF3760FECCE2DCD301C8B7B0228E30D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.962{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\content-email-track-digest256.sbstoreMD5=2C126E7268C6F11692BE11629C2FF7C6,SHA256=1B96CEFEA79E6F74B64B76820FADE940636EB9F5CD4B35E65584C85B004989F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.961{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=AF32B9C2D675A714BD311805808AEC14,SHA256=7E3B35252F739A8E1469314A4FE3CF4B9AC906E0BBEA9F4E88F31F15C30B93DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.960{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=A5ABC81A6FE923E8DB43F979B10AD3BD,SHA256=B7CEA440E3ED079766AC192B672DF4DC17B36C740F9B17B32BBCB4E54AEF231E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.959{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\base-email-track-digest256.vlpsetMD5=180B597663D98AB1B5E09ED8EB61D6F4,SHA256=5A142D44D91F33D4EBD7AE81DA219C8EE0023BA8328DC2F5F1AC3FC2F8808314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.958{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\base-email-track-digest256.sbstoreMD5=97239BC16E55CC1B0BED952E65610EE1,SHA256=27F32FC0B6D03158284FB804569EA171CE99E7A08276B68C7E16B4BC254B67FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.942{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.942{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.942{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=00E12F637CA3DBDCD1700E797EAE9522,SHA256=5F22E3810F487A0ED1E1680C7CF9CC33749E409389B386BA367C00ACFCF5C4B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.942{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=88B44DC75B1D0E8B36B9BAFD82E73053,SHA256=6D7B3C150EA8E3DBD9FB4C521E5AFB2C7D9556BFF0BEAAA2661F3C3420AAA930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.942{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=EA8FC2B1E715FF5F0D99177063DEC900,SHA256=1D20EE535B3A5CC08F514B342B32398677B5CCA3C5E3F1CE5B74370B2361B688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.942{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=801B0CE649BB5EA80E92323DB6ED3A64,SHA256=4B7725D4DC97F1EF4A544E13CD559CE6A945B5DFF1C27A4CD0750E5D42C91FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.926{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=0A5AEF59E1E9FEBABD7684A17D9F5711,SHA256=672DEE7072F009217B8D0219D469C7DED61E3CD95785AD4FC76F29AC1A2A7A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.926{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.826{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=9C73048B97FF4FABE3E09B10D51E6038,SHA256=23B5AAB2E554BBCE1BA0FF7F92FDE77A72C8F50F280BA63C435C63452A12F76F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.826{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.811{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=B634871D36EA6DDE1D13CB431C17706F,SHA256=B7C6CD75C84EA6B95CD0F12DE699831241F671368BA886F23C6F86C8D0EC2608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.795{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.765{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=EDFA4783EBE475E24CD9BCDFDA6CFECA,SHA256=1A303432FE6B58498D932E2F7720256146A089952F3C88A464B5FEF954FF1F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.657{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.610{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6361B455C9E3DC3D080F090FFB8BF085,SHA256=817C22CA20F8CB042730DF12E7EC494C9C12E0E435CBEDF606F15D619BFCFA7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:52.616{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A458D088A380E6EA9923A3693945FC24,SHA256=908655F671EC6D98EB0A1B612D33739C1B2FFBA6CCAC313DC7D50A6F2CE89D90,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:48.270{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51715-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.728{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9C41D8B077F4B36BA4BA33DAE723EE,SHA256=52C3BE991A1EAE13C728D33B6B733EA88CC369BC6FBD490A423A3D0780796896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.627{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\6chvkpgv.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:53.617{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFECDBEE8126E7EEB861295E51F5B961,SHA256=8E082EC1D8BC743F0FC2E603A4528E3E541F9AE13D081AD2A1DD4B61C24E746D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.111{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.111{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.111{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.111{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.111{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.111{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.111{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=5747CA1E1576D458D3F6DC2484EC7417,SHA256=7DDB690294FD365660A3C1B9CBE9A094B156E9BB7508AD770431A50272C3F7CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.111{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=F2B926AE99C7939A916918AB01A33F2F,SHA256=8114D3A16DB469A3519C773AE2489F89778B212FDF73C6D7A15E98170F2DF4CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.111{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=527830308D13C74A6D66901E8A602A4B,SHA256=7FDC9CC74A44EAFBC50EAB63C55956EE93CB1066D2C36D71DB3A725AF969E751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.096{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=C1A9CF32AB5213A7036B4BD6AF156C66,SHA256=BA022FB6993ACC15C243F547A1542B35C0701CF108637C9ADD529BDC042993F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.096{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.096{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.096{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=D9447AE410C13A7A2072635FFCCE9A3B,SHA256=F32F8B9BC1F687AE70B46038251DE68480DA1605003803EFBA370236EDF57ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.096{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=9C73048B97FF4FABE3E09B10D51E6038,SHA256=23B5AAB2E554BBCE1BA0FF7F92FDE77A72C8F50F280BA63C435C63452A12F76F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.096{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=7674B07A44D9FF82FFC207994EC6BAC3,SHA256=F35BD1EB0ACB4559FE0C5EE2E98DCDF1A5C8E6A70DCAA01A74606F1EBA8CEA7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:49.638{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal54843- 23542300x800000000000000023175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:54.729{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97AD535B0193F4EF396D11E472B6AE1E,SHA256=5EA6B5945A5DA312DD691B7C1783A18F16D83D7EB53287505BD67A9D2E4F25D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:54.695{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790E62BA39B2FDDC961660287B29DA88,SHA256=023107975491B190830875B483479CB57CFFC5E0E3B250F3FE7B7339CD9104D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:55.785{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B2CB5DC5383E69263E273245BE9C2B7,SHA256=21D5AC1BD8C64914E9C6E301FEDD443F1DAE3D4226D6FFADA0CAA536D92DB821,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.435{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50496-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:55.734{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3D5DCACF7150701958148B743CD2801,SHA256=D6A42A4542222657B2ED67EE62D787FCDC942618F463F741E1AA614EEEFE0DC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:56.869{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5574C4A5F8DCA7A6E9099C5A073245D2,SHA256=9392C00620A8AD142071D9E4920921C4FEADE773976903F695265669470FAE47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:56.804{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB1051D7F8EEEFCC45916F1608079703,SHA256=4E9E619FF3DFA81F8B30E6E958C42CD837619F44F06EBF066B885BB6AB362827,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:56.368{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7ABC-6442-1C03-00000000DD02}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:56.366{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:56.366{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:56.365{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:56.365{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:56.365{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7ABC-6442-1C03-00000000DD02}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:56.365{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7ABC-6442-1C03-00000000DD02}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:56.364{223CB5FF-7ABC-6442-1C03-00000000DD02}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000028309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:53.297{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51716-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.990{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09756811E97AC12857A98B52F61CE109,SHA256=5684C51F6E3409CFE5CCF995FC47051AE91041E359C2181D6F25674B2760AA28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.971{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7ABD-6442-1E03-00000000DD02}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.969{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.969{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.968{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.968{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.968{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7ABD-6442-1E03-00000000DD02}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.968{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7ABD-6442-1E03-00000000DD02}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.968{223CB5FF-7ABD-6442-1E03-00000000DD02}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:57.836{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E52D77F06C5ACF11C1315C9FDA6D794,SHA256=33F3BD28A7B723103BD87DC6FC1B95EC2C073E0741920196C209E34760106A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.589{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5C216959643C9055DD7CED921D9D50C8,SHA256=68FC69DAE9BDECF4AC6BD951B64B7BDC5AD3EFCC95AFBBD6F3FBA29EDF515A4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.450{223CB5FF-7ABD-6442-1D03-00000000DD02}49841700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.434{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3A1A7B068979023F0AE2A9C508B862C,SHA256=7BCF743F80F402C8CA77F8D3494620218F728FB317F06FC6C1A9FA0EE0013802,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.288{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7ABD-6442-1D03-00000000DD02}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.288{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.288{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.288{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.288{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.288{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7ABD-6442-1D03-00000000DD02}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.288{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7ABD-6442-1D03-00000000DD02}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.289{223CB5FF-7ABD-6442-1D03-00000000DD02}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:58.853{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89C0A4AFB3273A4351CB4101633CD69,SHA256=BDF60A61725C71EC042FE394E08D0C0273E54BE18C7E538EAEF6BE0556D2338D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.807{223CB5FF-7ABE-6442-2003-00000000DD02}62726956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.637{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7ABE-6442-2003-00000000DD02}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.637{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.637{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.637{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.637{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.637{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7ABE-6442-2003-00000000DD02}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.637{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7ABE-6442-2003-00000000DD02}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.638{223CB5FF-7ABE-6442-2003-00000000DD02}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.591{223CB5FF-6DE2-6442-1600-00000000DD02}12362984C:\Windows\System32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.591{223CB5FF-7293-6442-B301-00000000DD02}56484696C:\Windows\system32\conhost.exe{223CB5FF-7ABE-6442-1F03-00000000DD02}2408C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.575{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.575{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.575{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.575{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.575{223CB5FF-7189-6442-5701-00000000DD02}28642888C:\Windows\system32\csrss.exe{223CB5FF-7ABE-6442-1F03-00000000DD02}2408C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.575{223CB5FF-7293-6442-B201-00000000DD02}24764612C:\Windows\system32\cmd.exe{223CB5FF-7ABE-6442-1F03-00000000DD02}2408C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.587{223CB5FF-7ABE-6442-1F03-00000000DD02}2408C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exesc create wuauserv binPath= "C:\windows\System32\calc.exe"C:\Program Files\ansible\sysmon\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF,IMPHASH=A68324ADB4F5664AF8A79E04062F4A92{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000028314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:59.899{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C4CB4BA2F6A14FB3DF0185BC8C17B17,SHA256=8826961BE09751EBAA54AC4EE69872E75F223972F7904E10AEF36846E0F8596D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:59.378{223CB5FF-7ABF-6442-2103-00000000DD02}5068368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:59.224{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7ABF-6442-2103-00000000DD02}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:59.224{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:59.224{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:59.224{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:59.224{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7ABF-6442-2103-00000000DD02}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:59.224{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:59.224{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7ABF-6442-2103-00000000DD02}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:59.226{223CB5FF-7ABF-6442-2103-00000000DD02}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:59.224{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBFA3BF6C1F0C2EC4969FDCA6024247E,SHA256=582B830F739877DDC1F12D9FAB5DCD0DBDBB6E2107A73592327FE5482C154B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:59.599{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30F71BA056D73EDB1BC1C6BF520BC399,SHA256=1984D231B129DED827A1ED5759F2D68F519D8E9EB5589C72F81DFD2A70FD23BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:00.954{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5848455904436F9AB4C8F8C511B03DD3,SHA256=45FEF300C1E88B0CA1DABEA2B37C506B740ED47EAF2DC9B6492CC453AC81824F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:00.827{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7AC0-6442-2203-00000000DD02}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:00.827{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:00.827{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:00.827{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:00.827{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:00.827{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7AC0-6442-2203-00000000DD02}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:00.827{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7AC0-6442-2203-00000000DD02}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:00.827{223CB5FF-7AC0-6442-2203-00000000DD02}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000023236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.400{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50497-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:00.257{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D8B70C3B3CF3EC39ED28382A487890,SHA256=984DAB8CBC648AC48883B37A20E1EEE1A976EF9E6ADA0979D361AACE7299F966,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:56.600{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51717-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000028315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:56.600{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51717-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000023263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.558{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E68110761E257F064D743239DF3EB89D,SHA256=1C3506861B4E01E408A9CAA7EB1513100CEDFB69EA8932015502697EC5E9BB5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.443{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7AC1-6442-2403-00000000DD02}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.443{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.443{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.443{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.443{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.443{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7AC1-6442-2403-00000000DD02}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.443{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7AC1-6442-2403-00000000DD02}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.444{223CB5FF-7AC1-6442-2403-00000000DD02}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.382{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E35ABB1A88DC87596185E5E3970EDBA,SHA256=03BFD155A104A83CD811B7990C29EEB4AD61AFD1EFB7CCF8D3A0561CFDC5BD2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.097{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.097{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.097{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7AC1-6442-2303-00000000DD02}5552C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.097{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.097{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.097{223CB5FF-6DE2-6442-1100-00000000DD02}9682340C:\Windows\system32\svchost.exe{223CB5FF-7AC1-6442-2303-00000000DD02}5552C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.097{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1100-00000000DD02}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.097{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1100-00000000DD02}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.027{223CB5FF-7AC0-6442-2203-00000000DD02}10566688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:02.483{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D8888F83EBB920321B1A67C5F9A601B,SHA256=C2CB16B8502031B3405BDF08A03CAAE8F2BAF05874401890FF7EB8AF2C3647E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:02.873{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1D7B2CB2F21DF37116D635258CB9CA43,SHA256=76F61A654DBDC7D282D17691420A5D7F6788CC2AD35AF0C6DC6F617907C87C63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:59.233{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51718-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:02.000{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F064246C8BD0F2FB8518946B73D56ACE,SHA256=3FD5B41804C4759DF454F4EB56B8E545778A91C344DC624DADC1D28FC2D68249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:03.553{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357B7B641D8C7D272061AC65A993F6FC,SHA256=892B5208C949CE48EF35F4D1E75DB07ECB1718112ED0E1A7FA3DD53999A25183,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:03.580{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:03.580{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:03.580{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:03.579{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:03.579{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7AC3-6442-7306-00000000DC02}5164C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:03.579{AF4EC832-6B63-6442-1600-00000000DC02}13361436C:\Windows\system32\svchost.exe{AF4EC832-7AC3-6442-7306-00000000DC02}5164C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:03.573{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:03.573{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:03.009{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50C5C59C16F170214D76748A50FB9C5D,SHA256=3F95CE6485613001B374F2FF1837CAD7F71794AC1BBE4DC8B875C101B539B798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:04.664{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46C955A630AF13303C6F8CB513F2C94,SHA256=3627C61BBF6AEDDEB38DED432CC054C2E5D7EF51EAB83A788D4306375C8D0242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:04.658{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=965993CBCDAE3C59D09FC2D9805F4D2A,SHA256=00B407AAEB86AAEDAA28E34A64DBE737BA2895BAD64C6365883514B7E3762FD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:04.126{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB5DBB94E2F8D823B67B75A6C565107,SHA256=93331CC095A189697037B83D1FBC08F3B3CFC8744D57DD7B297F07C7041900E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:05.783{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F9DE29C776CCD5F79612FE240BF438E,SHA256=556742EA6469E260AB466CCD6605847986ED0AE25D38B83B4AB9569E17BB6D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:05.159{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2304E8737906CA93379774DC8C2349F3,SHA256=2EFC277653292C2D70DA1C4560E7D0CFA7E67DC08FD06D46E35D78580ABFD51A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:04.381{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50498-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000023269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:04.196{223CB5FF-6DDE-6442-0100-00000000DD02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse65.49.20.67scan-18.shadowserver.org33342-false10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal5986- 23542300x800000000000000023268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:06.806{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A617E00551EB843018549996DDE45A3B,SHA256=5F37364CF0AEA890DAF0BA0F69D6798E273068168AC9FDBBD3938AE1C66FCE3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:06.177{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15326944A319B63B4A76DAF226768CBC,SHA256=7C11C699DB71ECBDDA8BD7A9096A93C4F3D5AC52EFE617074C11B7EA384E4EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:07.967{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2075DF5B6FA361D12B6002163CC535BB,SHA256=BAE193A5B0C60547D1AD462AD13B6A6B6E4CAAFD916E209D8279C18AE09D3073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:07.852{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7412C74EB2505E533C356BA0AE56C37F,SHA256=126DA8202EB204D4D14E9D8FCE1D07B9D7D7F7C6B48DF0F9CFAF2776706ECB06,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:04.283{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51719-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:07.278{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198E0176816C49397E82E6000FC3C1B7,SHA256=52344E2DBAF26A82CA864DF5EEB95A9028E91BFE936D9EED8EA08A335310335C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:08.938{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB65C01AA3D18D8678C61D2BFCD4851,SHA256=D810D287F0AC795E0A399002CF94DB7487858CD299BD65A588CA4901055C4511,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:05.062{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal62440- 23542300x800000000000000028336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:08.330{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0962E1A9E196565495C9B98EF1DD1CCF,SHA256=1381C5CDEAE5F055C4AD4E355B45CEE41028DD4633CFF1ADF7DBDF85D29F7781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:09.987{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1ACAE97C73D2A6396E6F4B3789F444B,SHA256=A3267D6BD9C145A870601F9527C7B2950402E228E0CAF951FC62C5A8382A116C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:09.462{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8450526CA8985F88DD315070BF9024,SHA256=ACC4E10CDBA42D8C5BE94619B7A07AAFDDA541D4748505CB544CF3D2FCAE4979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:10.516{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF83A8154EDA9A8052278492121C5E8,SHA256=CA205CBB8E5DC1F287A04513958D1D08B00216B74455CA74977EC055CA653209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:11.089{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03DE46759A9F6E7E556C04A82FDC6785,SHA256=ACEEEDC8B677DC5B7185D3DA1D58331AB8EA8F2784ADEC50E52B84D60445E114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:11.548{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7A7F7F7951E63A436A3E7467941232,SHA256=EB70F186903D6CACEC46FC2E167D6832C27D976BA153EDCE708A26EDDDC9D22A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:09.967{223CB5FF-6DE5-6442-3600-00000000DD02}3016C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50499-false169.254.169.254instance-data.us-east-2.compute.internal80http 23542300x800000000000000023276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:12.241{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D82D3062085816527ABFA6662ACEA6,SHA256=EEDD64D3AB38808FC3653EC25C6C3D700FA3A4712093B23B693C1D0119ECD018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:12.652{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C021CCF09E595EC3C4F90143EFDC70,SHA256=54D546F8786A86BBA79940E69FE99816103DB850ADED0B9AC225E0517E5FABAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:12.485{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:12.485{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000028347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:10.564{AF4EC832-6B63-6442-0D00-00000000DC02}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51721-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local135epmap 354300x800000000000000028346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:10.564{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51721-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local135epmap 354300x800000000000000028345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:10.264{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51720-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:13.722{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB3A03941D0DF5EAB9DE42DD623B222,SHA256=3040768B2AABE2C6CB402F35C90E2F075A7228C5FE178E7A9E532AAB787CD2EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:10.387{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50500-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:13.257{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6FB68800CB3B246AD35EFB721502F92,SHA256=007DD1E2AC381464576730599CA9FF8A5F4EA8C6529C80E285DF30CF0F02079A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:14.769{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E93AFA76C2456D2C3BCACA1B6482970F,SHA256=A61EB7987D19683056D0D9CB8205E7B6D01535EEAB424EEA5BDD4341313161D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:14.343{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDC6B2602CDC455AF712ED09881975AE,SHA256=0BC7A9C1C515845347BD74C7E7A11FA8750EA542408F20A994122FA0F84AECCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:15.816{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF941B9C87D2F58F32D82BB8630F044,SHA256=5B70E9F4932DDECC5438D2DA2E2501EC0843C49EA83497EE592309228DC038C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:13.070{223CB5FF-6DDE-6442-0100-00000000DD02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse65.49.20.67scan-18.shadowserver.org61830-false10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal5986- 13241300x800000000000000023294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:00:15.443{223CB5FF-6DE1-6442-0A00-00000000DD02}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WaaSMedicSvc\ObjectNameLocalSystem 13241300x800000000000000023293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1031,T1050SetValue2023-04-21 12:00:15.443{223CB5FF-6DE1-6442-0A00-00000000DD02}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WaaSMedicSvc\ImagePathC:\windows\System32\calc.exe 13241300x800000000000000023292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:00:15.443{223CB5FF-6DE1-6442-0A00-00000000DD02}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WaaSMedicSvc\ErrorControlDWORD (0x00000001) 13241300x800000000000000023291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1031,T1050SetValue2023-04-21 12:00:15.443{223CB5FF-6DE1-6442-0A00-00000000DD02}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WaaSMedicSvc\StartDWORD (0x00000003) 13241300x800000000000000023290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:00:15.443{223CB5FF-6DE1-6442-0A00-00000000DD02}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WaaSMedicSvc\TypeDWORD (0x00000010) 10341000x800000000000000023289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:15.428{223CB5FF-7293-6442-B301-00000000DD02}56484696C:\Windows\system32\conhost.exe{223CB5FF-7ACF-6442-2503-00000000DD02}2308C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:15.428{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:15.428{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:15.428{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:15.428{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:15.428{223CB5FF-7189-6442-5701-00000000DD02}28645488C:\Windows\system32\csrss.exe{223CB5FF-7ACF-6442-2503-00000000DD02}2308C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:15.428{223CB5FF-7293-6442-B201-00000000DD02}24764612C:\Windows\system32\cmd.exe{223CB5FF-7ACF-6442-2503-00000000DD02}2308C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:15.437{223CB5FF-7ACF-6442-2503-00000000DD02}2308C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exesc create WaaSMedicSvc binPath= "C:\windows\System32\calc.exe"C:\Program Files\ansible\sysmon\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF,IMPHASH=A68324ADB4F5664AF8A79E04062F4A92{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000023281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:15.359{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A2273090C82DE8F8B5CD4D64F68C72,SHA256=0DD0421E19C1EB03649CE8429D0855EE505DB9E10FA555F86F5EF985EEBC36E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:15.023{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7ACF-6442-7406-00000000DC02}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:15.015{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:15.015{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:15.015{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:15.015{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:15.015{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7ACF-6442-7406-00000000DC02}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:15.015{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7ACF-6442-7406-00000000DC02}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:15.016{AF4EC832-7ACF-6442-7406-00000000DC02}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:16.871{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D1F08B8C29DF335778E8662FB8C5FA,SHA256=FB829D1E386127B39007C5F83AFD7EAB8D3E3D6977D943DF34F3D6DD50F931B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:16.560{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A2F560A00346269095B6365EED139771,SHA256=5EC794E4B617B5F2E62B73B8B76C2D94ED1E9391BDA3BF0E38C10CA622892A43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:16.545{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B806E689B9E07390B629D0C11E7FEB7,SHA256=2B196B472C7DF9111DE9F028E3C9D6BCA2A3CFA8F4BB154736299DAC56584909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:16.376{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF9A39A3B8A567DFF4327CE9161AAA40,SHA256=CCDE3E2962C10D3C06A9CE51E6CFBAB3AAB9D9376AF23F5F861EA57B04AE6745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:16.116{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4D8A3AA8230429C1B9D79BD03E78F94,SHA256=370FD2F97B84D04CBC3CC2B029F8D0D95B73A91D77FFD1FBE7954DA631153667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.898{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952839625F5EA815FFB85F8E2A9B4EF7,SHA256=9AB6E40162C6CACE0F682D9C63A44FAF93259475B0365A2D67C931A77A690179,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:15.521{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50501-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:17.395{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19CAF1A057E0E5ADEAC4B2CC96ECA493,SHA256=48FECD4E56A0F6B08EAB81DF86872D0ADDCBB7281EA5CE1C995DB9C18245DACC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.841{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7AD1-6442-7606-00000000DC02}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.841{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.841{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.841{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.841{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.841{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7AD1-6442-7606-00000000DC02}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.841{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7AD1-6442-7606-00000000DC02}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.842{AF4EC832-7AD1-6442-7606-00000000DC02}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.371{AF4EC832-7AD1-6442-7506-00000000DC02}69804776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.240{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=36B1ED63FC4CE7705614C120AE89358C,SHA256=6A9458EF658C60225B983B75C38DDC62C640FFDC3DAA2E5D102104451634B7EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.156{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7AD1-6442-7506-00000000DC02}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.156{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.156{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.156{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.156{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.156{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7AD1-6442-7506-00000000DC02}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.156{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7AD1-6442-7506-00000000DC02}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.156{AF4EC832-7AD1-6442-7506-00000000DC02}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:18.478{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05FFADD2E649DD4AFCD7E46B1422993,SHA256=FFC2CAD7EFBE1BE528BD5A612FB871832EEF9614DB37C663BEA8CFBD08591FBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:18.575{AF4EC832-7AD2-6442-7706-00000000DC02}56605140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:18.341{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7AD2-6442-7706-00000000DC02}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:18.341{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:18.341{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:18.341{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:18.341{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:18.341{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7AD2-6442-7706-00000000DC02}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:18.341{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7AD2-6442-7706-00000000DC02}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:18.343{AF4EC832-7AD2-6442-7706-00000000DC02}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000023304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:17.572{223CB5FF-6DDE-6442-0100-00000000DD02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse65.49.20.67scan-18.shadowserver.org61838-false10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal5986- 23542300x800000000000000023303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:19.597{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D602991E19549E6096CD428759D7F2F9,SHA256=231F4D2315E8B9795E2792573C9F55B50F068D7B5C3B2744C632E27AF3A5AA4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.959{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7AD3-6442-7906-00000000DC02}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.959{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.959{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.959{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.959{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.959{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7AD3-6442-7906-00000000DC02}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.959{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7AD3-6442-7906-00000000DC02}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.959{AF4EC832-7AD3-6442-7906-00000000DC02}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000028397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:16.196{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51722-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000028396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.294{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7AD3-6442-7806-00000000DC02}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.292{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.292{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.291{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.291{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.291{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7AD3-6442-7806-00000000DC02}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.291{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7AD3-6442-7806-00000000DC02}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.290{AF4EC832-7AD3-6442-7806-00000000DC02}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.019{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD93B3E44DAC2755F2CBEE75742015F,SHA256=2BFA4D4B9BF2DCD21DD18181BBD203E52D0E17D72AC5B91585EE9BF1818855DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:19.479{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:18.739{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50502-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000023305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:20.719{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1AFE2DC21E30C8E0B9555192126EACE,SHA256=F10FDE5BBBF070DEFD4579CCC7686813F4579DD7205B56093A4DA604A3B22E64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:20.820{AF4EC832-7AD4-6442-7A06-00000000DC02}23685432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:20.600{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7AD4-6442-7A06-00000000DC02}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:20.595{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:20.594{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:20.594{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:20.594{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:20.594{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7AD4-6442-7A06-00000000DC02}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:20.593{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7AD4-6442-7A06-00000000DC02}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:20.592{AF4EC832-7AD4-6442-7A06-00000000DC02}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:20.127{AF4EC832-7AD3-6442-7906-00000000DC02}19485440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:20.127{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF4C4744AE5930B08402F7011EDB79E,SHA256=77F642B02B098D2663582B51B19BDB9F00A6DC2F9F43D880275D637B441E6560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:21.734{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91856B9229301668E168077DFFB50175,SHA256=1946E7314FA1B1DB02C36EB2565B64C3B4541EB53CB62931D9441936E9AA1DD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:21.159{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D8EFD8EA69595DA15E93ACF6695686,SHA256=CCAD43BC8A9A3CB86A216E143EA9C5262E5AE2E3ED2B107E2CD7FCDDE4B43B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:22.850{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D52500F5FEE5683D8F8E71DC1CDC98,SHA256=EE067DA7FE00B37159470162533C285449EC032E021D68FBF8026BE503F6ADF9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:22.530{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\3CE3DF5F-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_3CE3DF5F-0000-0000-0000-100000000000.XML 13241300x800000000000000028423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:22.530{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D34FDAEF-E258-4A57-A230-22BB3A38D685\Config SourceDWORD (0x00000001) 13241300x800000000000000028422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:22.530{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D34FDAEF-E258-4A57-A230-22BB3A38D685\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_D34FDAEF-E258-4A57-A230-22BB3A38D685.XML 10341000x800000000000000028421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:22.522{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:22.522{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:22.479{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-063MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:22.261{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70167EF8C0E6E94B47B6433BA346C9D,SHA256=1804F7C9AE0D77F6339006FCCAED3F6B7C332D90C222603DFA736ADF28E94A89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:23.982{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E630A8E4B03BC236A8E268CE2ABEA912,SHA256=B2BC941E65102F1D5A7C3A0B888E0A36AD67D133E536F564F87D069300ED3760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:23.982{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8E7B4ECA3364F6F9827B520D491FEDD7,SHA256=CF5021085F2A18EE807F1B165FAC1490793A75ADB0E5C8E73CF0B4EEBFE6CC55,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:21.396{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50503-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:23.478{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-064MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:23.361{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:23.361{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:23.361{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:23.277{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F055BB45A63CCF3183670EBCB9A71F,SHA256=C3CEDF3978511DE07970A02D4FCDC088CC4BFF624DFF1A31B8F94C898282F076,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:22.249{223CB5FF-6DDE-6442-0100-00000000DD02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse65.49.20.67scan-18.shadowserver.org10864-false10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal5986- 354300x800000000000000028436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:21.439{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51723-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000028435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:21.439{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51723-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000028434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:24.446{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C06486EC719C6A2ADA105792ADB7120B,SHA256=C0B91DEBD4ACB4E2FCB6F3DE58D0527CA86397DFA8D35DC72555F8926EA60E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:24.398{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD196D1396F77F4799EFFD9B41AA6487,SHA256=FA0F7E40BB1D8883BE2FF5E84BEFBB99F445E2D08EB2C5B5811909100DD9DBC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:24.200{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:24.197{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:24.197{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000028440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:22.270{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51725-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000028439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:22.270{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51725-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000028438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:22.224{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51724-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:25.463{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6EA3A3736B8928639072141AE5D24F,SHA256=77C637A30FC03AAF6A5B0838AF754B774448C92FF15DC584D002DA37B987B3D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:25.001{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B58F1B5FC447251FFA1473331B2DB3,SHA256=F8005F55F80DC8FE14B918CCB310CF8BA46E8243F5A5471D0AD720B8702B9A3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:26.625{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9393E47790D5F55C3A6D2C7409B306,SHA256=16347E0752423C7606698B4496415DDD0CAA377F14E3E7099E57E231DA7A2DC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:26.024{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7665AD7DD82B54E1E8552868FFD7D44,SHA256=665CDC8E78E6571003D40D67BA6D1400E35E272463C44650BD871AC12D1B8F14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:27.749{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC202A2E653F0EA971B385453DACA800,SHA256=3D6953584CF6B28C5737AF2D6837191849CFB15E73ADDB7F956F8F2E45C21A1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:27.626{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:27.826{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=999CB945DB9A536ACEF69DE46321DE37,SHA256=54C5FBB7364ECD41C0B1971F464AF04EB918C522A2F7246878141B6E3DD03E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:27.154{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BEB5618EFDD4267ABB10EEE78FC05AA,SHA256=2B31D60280E8A7333CCFADD9EF3B11BF35ED9DE8716E501EEC7DA6BB394F8782,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:25.673{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51726-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000028444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:28.665{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961A81B83D8DB89046C72E3583293464,SHA256=B95A0C3F3195A7FE1556A0A27E1EB00F4537008FFB14E0926F4477616E9C6ABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:28.171{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB116B5C9C63A7623C1FBB0C85AFC7B1,SHA256=F89B520B0B211784C8927549A638324785E7958E77AD4C209806465855A942B0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:29.828{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000028455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:29.828{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003c8a98) 13241300x800000000000000028454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:29.828{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d97440-0x7bad6243) 13241300x800000000000000028453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:29.828{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d97448-0xdd71ca43) 13241300x800000000000000028452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:29.828{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d97451-0x3f363243) 13241300x800000000000000028451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:29.828{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000028450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:29.828{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003c8a98) 13241300x800000000000000028449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:29.828{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d97440-0x7bad6243) 13241300x800000000000000028448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:29.828{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d97448-0xdd71ca43) 13241300x800000000000000028447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:29.828{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d97451-0x3f363243) 23542300x800000000000000028446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:29.767{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA4CDBAB2AF5D8A0B73B01B130E6EE37,SHA256=A51350B4F4806EB7A931E3CD71A2B7C226484E433B285A866108D335642C7E06,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:27.416{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50504-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:29.227{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C51A4EAD5ECF81CA1ABB33DCC81C33,SHA256=1220145CFAD0B63BB3CC1AB5D2DA1B40100E824301F4469E8C4A7284F132B6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.804{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7559CF32F6DAC1A31BA523CDA362140D,SHA256=6DAB13789E6925AC45764BF28809537826152CB0365351B57BDEE1F5A11AE945,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:30.289{223CB5FF-7293-6442-B301-00000000DD02}56484696C:\Windows\system32\conhost.exe{223CB5FF-7ADE-6442-2603-00000000DD02}5292C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:30.289{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:30.289{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:30.289{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:30.289{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:30.273{223CB5FF-7189-6442-5701-00000000DD02}28642496C:\Windows\system32\csrss.exe{223CB5FF-7ADE-6442-2603-00000000DD02}5292C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:30.273{223CB5FF-7293-6442-B201-00000000DD02}24764612C:\Windows\system32\cmd.exe{223CB5FF-7ADE-6442-2603-00000000DD02}5292C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:30.288{223CB5FF-7ADE-6442-2603-00000000DD02}5292C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exesc create UsoSvc binPath= "C:\windows\System32\calc.exe"C:\Program Files\ansible\sysmon\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF,IMPHASH=A68324ADB4F5664AF8A79E04062F4A92{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000023320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:30.258{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D17587195AF5E2338C5090BD5254C75B,SHA256=6094F28D28EB921C5FDF22F9B7268A04CF12399075BAB1C09B7F23DE62143C17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.328{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EA21F06BDAB3F980B0CBEBFC0572B44A,SHA256=AE4D1239542E9261CA233F535DFCD77DB12676E6E14A4954E87975328C8E1D30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:31.984{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:31.984{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:31.869{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B1B0E785662D8DE7A749D5FF4C6D647,SHA256=AB9A48C5FF69F1D14DAEEB761278321F628B8C7DDCAACE678E4176EB23E89CF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:27.243{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51727-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:31.561{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-053MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:31.358{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D58D7D9E207C05760279E04940D3F339,SHA256=BB8690BD3123B1A958FE19794A96C8FD1A9ECEBCB221772BBAE9AF1C54FF8776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:31.290{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E73250F8EAADCA511F9CEDC67E6D04,SHA256=AC93763156F67810CF0E1067DF33F9A5B8F1A95405608198BCB0D0524848D286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:32.906{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502D0DAE4B0E419FD50D4286EA15BAEB,SHA256=32DEFC0D9FAD6D33B5B49092FE0E5D70B0E34738A63B0B41211A66C2C70CFC48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:32.560{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-054MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:32.390{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246ABE13AF2A33DA2CF0F7C211917563,SHA256=AB99EE8AF4CD94C43E48EBF73C53CE096DA8DBC7B7BC0A41974F7032968ED4EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:32.085{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B5D-6442-0100-00000000DC02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97952|C:\Windows\system32\kerberos.DLL+79c68|C:\Windows\system32\kerberos.DLL+1458f|C:\Windows\system32\lsasrv.dll+2fb61|C:\Windows\system32\lsasrv.dll+2da46|C:\Windows\system32\lsasrv.dll+332d9|C:\Windows\system32\lsasrv.dll+30c27|C:\Windows\system32\lsasrv.dll+2fb61|C:\Windows\system32\lsasrv.dll+17bcd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000028463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:32.085{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:33.955{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDF8445D68841F69C1551597DC62B15,SHA256=EA3E6FD3045C5AB6085700271C8375D1A1A9EFA5F92337844A411CA4148ED331,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.171{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51732-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local445microsoft-ds 354300x800000000000000028475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.171{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51732-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local445microsoft-ds 354300x800000000000000028474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.167{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51731-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local49666- 354300x800000000000000028473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.167{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51731-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local49666- 354300x800000000000000028472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.166{AF4EC832-6B63-6442-0D00-00000000DC02}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51730-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local135epmap 354300x800000000000000028471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.166{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51730-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local135epmap 23542300x800000000000000023334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:33.530{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3A43055DC130821878D26162421369,SHA256=D2B4A8EB2DD6125A83840EFAD772F0FE2201744889BDF3789788FDC027C0ECAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.074{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51729-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000028469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.074{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51729-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000028468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.065{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51728-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000028467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.065{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51728-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000028466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:33.054{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE9E51512C552B4C2F67B00B68067173,SHA256=75BD79FE76FF56FE31098BC61A26167E461F4E407CBDC179F10A543BDB32F1BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:34.987{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8EAF46B2CD54166B1155AD7F20C20A4,SHA256=6322CD98B468D8BB24C4ED5CED8E027CB6F64AEB6B9B0EC304EDE9FE32A1BAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:34.576{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1259DFE276C09E8010551BD87475F8ED,SHA256=7453C469C4AE4A0F36D755222BBB09A08BA971CB032C3CA76875FEFEE8EBCA1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:35.610{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA09D769E1B8B6F9640C5F217085A28,SHA256=07C578ED3B2771261ADD7EC4E0736CFBD72E4E06186F07A5AED8FC11E7362A03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:36.747{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73D3279702E4FDBE63D818EB7A22110,SHA256=9CCF433F21D153EA66810269F3445D1AF3D3E63EB6CC3CBE6EAFF5C2B2275BC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:32.263{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51733-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:36.056{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFEE7D918B168F4DAD1F48B5F89F653,SHA256=C52B9352E7098CB3580CE95F20BC833DEE01BB8101D5D87F9A9C9E80634EABC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:33.367{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50505-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:37.849{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA91D30296641D853E9939DE1488EA2D,SHA256=76B508D2F1469BD3AD354F92CB90ACE98ED5C870FD7A324BE325ED2F4EB709AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.088{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E40AE13CD7D90D7B7A704A336FECA5D7,SHA256=C05F48447A2B93FAA663CCF9FEA0A42D5DCE2E04C0EF360A4579364DE92B29FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:38.981{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F7FCF0FECD374F79EB6BEEC3D0FB80,SHA256=4F5AFD2F64843F722DCCB9F593BA20F2DF7E111236DC131FA837E1D53D9BC1DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:38.174{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BAEA9702EC994667FB7F1E211A463AE,SHA256=EAF53DDF2DEDCE9754D135E069FFAC9A2122D174B7E03614CE1D352BC39C7496,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:37.230{223CB5FF-6DDE-6442-0100-00000000DD02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse65.49.20.67scan-18.shadowserver.org19888-false10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal5986- 23542300x800000000000000028514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:39.208{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6AFEEC1633EA7E35AB622AD1B1ADF3,SHA256=F86D6506A30AA4218898C984E276254F40A96D91C6613A06707E9DC6B45B25A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:40.117{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B275B3ECF16F3E1471EDD69B7B52A1,SHA256=7B2AAA9E7C062CCD608BBAEC901B59A278772B9BFA0A0BD83CBDA5D7AEAE2A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:40.260{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B088956DC754E4DA99F77DBF62B71796,SHA256=E06E70CD322B8AC9A4BCDC3CE12C54299155D95A2C9F1488415FD2DDED9D191A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:38.491{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50506-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:41.151{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C4DE97A093E4AB1CE3C677620A5189,SHA256=F4A1D07F4CDC024EA68115735AF11E14FC88BA1348B48EA7AFA1719C7CBE1BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:41.376{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F54ECDED2BCB83B6C0FC7D01595A1A12,SHA256=4B77B466DD16F4047235495DB82E803594E3ADC7B237DC96D9C55A20355EEEE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:42.216{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D345344656615E2485F959B55714FC,SHA256=CA5BAF66B8E06F98C9A9877F0418657ED9A6DD23E36FE80B54770852BBD06169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:42.393{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1BFD10749775E4EC10733CB7DAE832C,SHA256=8ADBADED87502EFDA632CBC1B509BB180980259EC7638861E704D94F39AEBF05,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:38.236{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51734-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:43.317{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4F6AF79930928311398FE8E893AC92,SHA256=EB4658E4B6643F4ED4B90AB05673EDA198C1692DBF44C97FFF23D5BD280627CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:43.894{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6BE4F77FF1AD7D648025915E783C5BC,SHA256=EA31E345B0AA95C30BD8BA4A0DB2C17803B3E6588AF94C79B00681DB5F2CE55A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:43.447{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313A856AC4F67A95880ECE3F02E98E72,SHA256=8617308159C94A10B19C0325DB6566FA49FEC38084CC334A12A3A19EBCCE63E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:44.579{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F14037A02498A9FD22FF770F3CF623,SHA256=85BB8D38C7CCC849B8089AE41FDAA7DF26F3C34099C1A59C831EE40830989A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:44.440{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B9CD2776AE5CFBF5D3E41AB2902195,SHA256=C4CC9AB040F16FDF3C5C779E77536D56E6023665AC73908A1DAE9A921C1A7B73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:45.502{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24856275B59DE0755E8E0EE743D06782,SHA256=1C0E7D8F3F24C466544F7D09312629F26D3AF69902CFD88BF25C767238073AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:45.641{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5BFE82492EE52C19FD116D58E5C319,SHA256=D794F1F0F32DAE1D46CA35A883AD2140317E47D0087F1024F2ADAB6828068043,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:46.732{223CB5FF-718D-6442-6A01-00000000DD02}35963148C:\Windows\Explorer.EXE{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+d30b0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801B85081E8)|UNKNOWN(FFFF864080E77DA8)|UNKNOWN(FFFF864080E77F27)|UNKNOWN(FFFF864080E725B1)|UNKNOWN(FFFF864080E73F7A)|UNKNOWN(FFFF864080E72236)|UNKNOWN(FFFFF801B8176D03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d690b|C:\Windows\System32\SHELL32.dll+11d7ba|C:\Windows\System32\SHCORE.dll+33fbd 10341000x800000000000000023351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:46.732{223CB5FF-718D-6442-6A01-00000000DD02}35963148C:\Windows\Explorer.EXE{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+d2b91|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801B85081E8)|UNKNOWN(FFFF864080E77DA8)|UNKNOWN(FFFF864080E77F27)|UNKNOWN(FFFF864080E725B1)|UNKNOWN(FFFF864080E73F7A)|UNKNOWN(FFFF864080E72236)|UNKNOWN(FFFFF801B8176D03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d690b|C:\Windows\System32\SHELL32.dll+11d7ba|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:46.732{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF33094e.TMPMD5=1F4BD192F37F455E666A6F524978A45F,SHA256=3DEDCE8C8A9850C8DCE400D84B20A73ED72ADA56B93AD8EDCC0D71F32CCC9E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:46.593{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FFAD9722727932050A193814C67F527,SHA256=F4EFAB9EE15CAE7191CECA0A38E543AF1A05A802B7FEBF36E1836FC9E7726374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:46.665{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB139D7D14486285948E91CE5EC7D49,SHA256=335E992115A86768FF38625DB2251F81E356B344E3BF3CBB8D727A1642A14ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:47.609{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7A376779E7BD4785BF0E3AFD9404B8,SHA256=9CD3D0A304FC8CCFD5DE38141BD68204BA6C278957F7716C6CC176512CAAF8C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:47.682{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10DF68FEEC4D36790089BDC595F1F75F,SHA256=F964306DB59F9E5361809B4C2C52A1AEA62F39F5A0F941B05DFD6BE65FFF354D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:47.682{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=430794BF53DC1351BADD12B422D4F81E,SHA256=0A1BAB2D4E46C1032243355D4EFA520A69ACE44345F4C0EF8EE20E99EBF856C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:44.446{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50507-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:48.650{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4689516898C72D8D285D69330B0BC32,SHA256=C573485DE1514C5CBDADD5CC6E510A7EC0D17BF37952CDB23397892002424727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:48.715{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C04C329C40EC9E08765884D001C4E276,SHA256=20EDDD2033447C74A2068EA6FA7A792D1E4EFE90C93C0A5FF7E95991C1FF7A73,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:44.191{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51735-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:49.780{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA98BA208B5531AC40137626770B7A73,SHA256=E74FE046360879DDE44F52FA7BCB1D3F207C9E5AF62FA51FD04C58B4F749ABFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:49.765{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C0E18D19EFC9174C51232FE0B69B0F8,SHA256=9C2DCE221A412474E5A31E6F5ABF5435E0A4050F01B08DA8FA8849B030E2DDE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:50.884{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21BCFA862D14DF7034EDA2C4CCB1F81,SHA256=5B2A56CA5BDB3B8D2ECF54100329AB6DEA1F85CDC5CF5C06DB56F8C8A1419265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:50.895{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B160998D972270500C68B6B926332A,SHA256=37637BD0AF937D447EF9BA2E4BA8CFCBBFDFB608C8F16EDBD979FFB26592C523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:51.916{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3D32FEB272A3E2F1F1FBD76BB5504A,SHA256=07069A3315E65921F8B0C8D29D1AB15859F67D028697990433923122B26195D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:50.391{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50508-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:52.012{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D17A6C3918355944FDBFCF3AFFBC799,SHA256=5908D3A97F88C2BF2995C768927EF4C80571AB90406BEA50FF5EC5D43E16B5D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:53.035{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30416FB675152E9C71AD67D39DA6C902,SHA256=11B7E6D66784047302D7F2D9D60C8FD8F771FD69E7F547A02F0FA583809E0607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:53.162{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09912CEEF0545A401AE9329EB4A04A63,SHA256=AAD56252D77D0225FC5320E6552F860713CE21437F084483B7F7C18898C47296,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:49.324{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51736-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:54.087{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A062CE8992AD7C83E3D4A9C0D379D400,SHA256=B7A3A46C436E4DF23D29982CA513F1189C352F75DA23500DB7D171A1266EC22C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:54.211{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E57485397840B261332347E09E88216C,SHA256=922242EC292B3D5DA3360654BAF0F5F9FB0C9E1E4BEAB9BF860D3D55D7558A5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:55.188{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F51BFF114A9DE122DEEBC1CA286F2CA,SHA256=43D59BDBDAC365C081F908676CB41882C2526D1B7961376A7947D601F0259540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:55.276{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ABD758BEBC448F15C322E3A22729393,SHA256=E3046A6CCBF7D384ED27A7577D44AC152AA9043AC4C6B0AE1EC7F3E4EBC8EF8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:56.389{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7AF8-6442-2703-00000000DD02}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:56.389{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:56.389{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:56.389{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:56.389{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:56.389{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7AF8-6442-2703-00000000DD02}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:56.389{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7AF8-6442-2703-00000000DD02}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:56.390{223CB5FF-7AF8-6442-2703-00000000DD02}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:56.238{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394F1B48072282EEFB98D5B705D05A9D,SHA256=03B55315981DA2DED465CFA766DCFF04654D3DE55B225DA37364A5C47EA8D433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:56.409{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8673D999BBAFC0AB97DD51FDF78D66E6,SHA256=E69C4E619497E541E8A803F81D2B4F1A57F410FD6E53C559F525DE5ADDA2A5E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.807{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7AF9-6442-2903-00000000DD02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.807{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.807{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.807{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.807{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.807{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7AF9-6442-2903-00000000DD02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.807{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7AF9-6442-2903-00000000DD02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.809{223CB5FF-7AF9-6442-2903-00000000DD02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.442{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A22EF88D46D76677D8A218A250E4E10,SHA256=B3D44DA89404D51D829737D3E6ECDA8A981F1AD99D931C85EFD19CE18C58ED19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.346{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA9DA262CB1BD0330407A2EFBC3CBCE0,SHA256=3631D382825B17DD81D40C889FD61D9F8754A19F2FA57FEA9364E3D1C8FFFF91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:57.460{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23CB3DBD3C97CB317996C6B07DD9D36,SHA256=239AF3DE4161F904EF295BC626D145E733C753E88431B6319EB2C0C1B3CCDF7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.290{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7AF9-6442-2803-00000000DD02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.290{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.290{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.290{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.290{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.290{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7AF9-6442-2803-00000000DD02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.290{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7AF9-6442-2803-00000000DD02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.291{223CB5FF-7AF9-6442-2803-00000000DD02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.824{223CB5FF-7AFA-6442-2A03-00000000DD02}69325248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.644{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7AFA-6442-2A03-00000000DD02}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.641{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.641{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.641{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.641{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.641{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7AFA-6442-2A03-00000000DD02}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.640{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7AFA-6442-2A03-00000000DD02}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.640{223CB5FF-7AFA-6442-2A03-00000000DD02}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.523{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84D4A9A80AFD48AB675EBEEF38939AF8,SHA256=C346FC88219FA740E48C549505B11E7DB1F67D7BC11F45C23BC464AB47EE82C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:56.397{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50509-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:58.537{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CF1B664C28A109671DCC87FEE03D8B,SHA256=694F6FD0629B14D104DFB689876384CC9B5D07A7D4E1A4CEA92B97EF5D410FF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.263{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=339EAA621F68DCD70925E0B5DC86113F,SHA256=B674BB38026AB8B03BF639D23EC456D2511E7C05007B670942CCD35D7978F6C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.007{223CB5FF-7AF9-6442-2903-00000000DD02}62885676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:59.628{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D93858FBF7F6FC8A748B65DF88391E,SHA256=65E479E18A31C4B5F0026F8A65B3C964328CBCB3426D35AFF6A38FE6F3A4E0A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:59.710{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD2E6BE33ACD81A59C13E43F1016FAC7,SHA256=1185C410FEA337EAC6F1D463516C5C3BFF6B9A54FBA7433068255BE2F0DB898D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:59.608{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E082F082C554F5505A8F827F9C9B90E9,SHA256=A3A1091795AA4A369D22C178378243A8EF3E16A499D1108BF3E14780244F3734,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:59.497{223CB5FF-7AFB-6442-2B03-00000000DD02}65365404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:59.324{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7AFB-6442-2B03-00000000DD02}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:59.324{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:59.324{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:59.324{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:59.324{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:59.324{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7AFB-6442-2B03-00000000DD02}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:59.324{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7AFB-6442-2B03-00000000DD02}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:59.325{223CB5FF-7AFB-6442-2B03-00000000DD02}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000028538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:55.167{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51737-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000023423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:00.929{223CB5FF-7AFC-6442-2C03-00000000DD02}53126528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000023422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.887{223CB5FF-6DE2-6442-1600-00000000DD02}1236C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50510-false69.164.0.0https-69-164-0-0.iad.llnw.net80http 10341000x800000000000000023421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:00.749{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7AFC-6442-2C03-00000000DD02}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:00.747{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:00.747{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:00.747{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:00.747{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:00.746{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7AFC-6442-2C03-00000000DD02}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:00.746{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7AFC-6442-2C03-00000000DD02}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:00.746{223CB5FF-7AFC-6442-2C03-00000000DD02}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:00.729{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0C1E92CD0C2F35AF2DA0C2BC6FD889,SHA256=16117A7A733904AD9CCF6C5BF8BF64AB1018C578F1E778B6DE507DE2AAC17890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:00.742{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144A797275388EECE1282E06442F8D7B,SHA256=00DCB5487BCE5B60CF1BEAE01C1D90DE7E48AB285D1D6268242797FE5482F052,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:56.993{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal56153- 354300x800000000000000028542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:56.613{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51738-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000028541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:56.613{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51738-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000023432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:01.811{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F58449A12D5F8B58FC9037CA0205BF,SHA256=3CD3CE8C64D939142ABC89786C9753B27589287ED34094030D22A7FE95275EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:01.774{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DFB5DDDB7F29E91F4EE67640561AEA,SHA256=09AF836D5BEB0F60A00D03827558E7C1A5AE6F8A8DE9CB6F3D3B74F229F87CB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:01.415{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7AFD-6442-2D03-00000000DD02}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:01.415{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:01.415{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:01.415{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:01.415{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:01.415{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7AFD-6442-2D03-00000000DD02}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:01.415{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7AFD-6442-2D03-00000000DD02}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:01.415{223CB5FF-7AFD-6442-2D03-00000000DD02}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:02.917{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA42943FDE8C0601EA20C0140BFC1A2E,SHA256=0CBB25BFDEB9D140153AB40B3BD0540903E1F070DF5DABC669781B046C5976E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:02.842{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0533DCFC96996F0125E89654A59AE30B,SHA256=7A22A0A0A7394172690420183158781A689D0079E3CBD6FD70736161901087EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:59.076{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal58938- 23542300x800000000000000023435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:03.949{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7369150FE207073E484AB15A7996A42B,SHA256=A99ABE93B972C38D70C5761EF3533CC6562B169945ADE0D8D856BD0C267318C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:03.989{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F222B61B8F74EED40CEC29EFF6352C,SHA256=4893F0E69F38018F29B52A23FDB3D72020F4F1A5C8E4BEBA28253C959C6285F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:01.492{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50511-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000028549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:01.165{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51739-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:05.067{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69471BF80485A93CE268DEED3CF9CAB8,SHA256=A36ACE4AC299A67D3C84FFB6EB5B7673E28E9E39139ADCE691886BD7CFEBE251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:05.007{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FDE711EB895036E028BF0691156BCFB,SHA256=2C45FF4E01FDCD0AA18459C05074ED774C6ABA3DFDF6E25CFA386B6BD29CA8C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:06.169{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C432C8F9A36C3BE4F9A537ED439E685,SHA256=FBF8E05C905E59282F1AE590F8E7AC135BA3C0ADBD262D1A3E631E0A9BCC922D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:06.072{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57917C88500BD1D2C62B39546F7AC67D,SHA256=4B598B634A5F4A2037E1D52301D8B77FAA968D2D6E0F9EFAFC7A850FF1D43C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:07.969{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4AD1782FB25A200B609D6527137A8290,SHA256=E8F34FD0F1F5812407ECC4DE55AE0483D11FAD69657A76C8D1B4BCAA129D170D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:07.274{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F612FA2A39E6969F82CEF2CE5CE8CE7D,SHA256=9F72B53498F6EC37B5D3D70820BF5BB68659C2DCE32F3D1874DACA34587C1A2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:07.206{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA12F455D33998E98710C6B3A88E1C4,SHA256=2B3C19740E5212DD9294E4AE4F01C1AA0AE692577240330D71EABFE4557E6113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.406{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D8FFB77333BB2B6B67AE075450055C,SHA256=6F6A43664E2FB1A6C5DEAD1C36F6E69E8D2DD8D1D53D944F784FE16B2AC35BAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1A00-00000000DD02}1928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1A00-00000000DD02}1928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:08.371{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B17F035A33421AF422809A3FDED5AB65,SHA256=01030AE14BB95017686DD7B85DFDEE45E9355D0C7BDF94B7C59F45D2CF5FE43F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:09.753{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BBAD0BFBD2735276859B20F26791509,SHA256=72CDC2A197E20C774B01F6352DE064619B4A008E4666E751AD0365A655163107,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:06.182{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51740-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:09.503{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B1D677193802F39EE0CF85CF54C366,SHA256=55B9F6A2874F2F256896F058F8C3F00F07420F60081889E9024E7FA00BD94F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:10.820{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ED086053424BACE7D6479732C6C19FE,SHA256=311CD9EB469FC17F7B3412257C9DEE4B5119CBE2C0FD6CE0D90634A8196CE53D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:10.585{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEBF916147CD54F320A53162656FABE8,SHA256=FEBBE9ACB909E97AF37D66194ABCD8739CEC5168EA5C6A8DF693122C48D2CC6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:07.528{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50512-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:11.851{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D337A38E762B28DD417F421489E08F,SHA256=7EAAF002F065E22F52DA7F50433E703EE8096C660925695110DA3952DE2E9543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:11.653{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD3691F4B8BF9A6ED3B290A7B5D0F34,SHA256=1E0F3921B7FAE2B030D1C0C6ACECEF6FDF258A1DE53959D21F4D7EFA80A9FF0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:12.903{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EBD00FF2EC49E09D010F6F32F47F29,SHA256=69861DF83FF8E2F6F4B1E1708A99A1EEC7D9F250224C4220E3FFC04E6679BFB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:12.701{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC525A686596ED4C31DEC0B19F2968B2,SHA256=37670B3ED456C05D94C954C37FC34CFC08E51EE1EE68D9EA0B65F72BFD68F5A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:13.802{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E4F9E592812841E46CB27215A64969,SHA256=4A516AB6562A15B4542FE13EE0ADA77560ECE398CEAD535C3DF65F6B9F387AB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:14.937{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B0A-6442-7B06-00000000DC02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:14.930{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:14.930{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:14.930{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:14.930{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:14.930{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7B0A-6442-7B06-00000000DC02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:14.930{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B0A-6442-7B06-00000000DC02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:14.931{AF4EC832-7B0A-6442-7B06-00000000DC02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:14.852{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1491E185C23AD260063C32C5D5A4DCF,SHA256=3F3557B832709D2616E7D052309F195109B3BBC4452F51F9F07EC0BD6898F9B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:14.033{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2CCDF2847784C0DD6966EAEE54845B,SHA256=1DFDA59896FA38FBB83CE7ECDA5D9B811EBB136E4A4D743ACA9F7A274DAB2D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:15.983{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93DD21569D89E336D16C8B97067A0FD1,SHA256=B4ACDB9D3E66E554B2A2205D0C82737C35E120BE8CEF1136D8D6541E3304C20F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:15.148{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9832054966F782327BCB521AC5A774E3,SHA256=265B471C68A9662199D9F928FC5BF60196E0A332B15E895420BBF0C4702E7ECD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:11.205{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51741-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:16.287{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC64A26CDEEAA1FDBB67567D1697FFD,SHA256=4E104D1BDD76EDA0C4858D58CA63D491E65B2AF6FD8ACCB7A72FBA27CF8831D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:16.229{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE59B011886AB481F5ED601E79CDEA3F,SHA256=EDCA552CC6FDCDD0D3B60484A68550CE76BED3F10A24F73D44414B555EE128B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:13.424{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50513-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:17.347{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E039078B3A0AC80BB6CE82B61C46EC,SHA256=CCD37341023ED4C6424FC01ED600A11305349C899F7F775EAEF599EA7D1ABADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.952{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=82210D074B78CA41D606795C15FAAB9F,SHA256=91A973B76613D5C7F7714DC5DEAB21198CEBAF1CE6C5BC80FC202ED6242F5882,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.675{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B0D-6442-7D06-00000000DC02}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.675{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.675{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.675{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.675{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.675{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7B0D-6442-7D06-00000000DC02}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.675{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B0D-6442-7D06-00000000DC02}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.676{AF4EC832-7B0D-6442-7D06-00000000DC02}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.424{AF4EC832-7B0D-6442-7C06-00000000DC02}71045232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.166{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B0D-6442-7C06-00000000DC02}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.166{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.166{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.166{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.166{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.166{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7B0D-6442-7C06-00000000DC02}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.166{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B0D-6442-7C06-00000000DC02}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.167{AF4EC832-7B0D-6442-7C06-00000000DC02}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.028{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515AE0DC51B84298E3F037D2DA052EE8,SHA256=4F0497BCC36D4A90612039F272254B461A5B0F561DD4BD94795E1AD221883A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:18.463{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC752BF5988AD06AC6F54BA69BE9BDA4,SHA256=70D52E2918BE3AB3AB0BA3C37F520611590DFFD5280D5F62AFA21707F184B908,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:18.536{AF4EC832-7B0E-6442-7E06-00000000DC02}15244732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:18.352{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:18.352{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:18.352{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B0E-6442-7E06-00000000DC02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:18.352{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:18.352{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:18.352{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7B0E-6442-7E06-00000000DC02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:18.352{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B0E-6442-7E06-00000000DC02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:18.353{AF4EC832-7B0E-6442-7E06-00000000DC02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:18.158{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=010224F4059147E407D177CFB580A932,SHA256=6FF8EB760D5AA87E9AC2257E0C9ABA9C8F2A8A1CE6735053E1CEDD308CF0886B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:19.529{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F518EC237F9249FEE870133A7BA4B9B,SHA256=6B34C36BAE1E7AD66D3E83CAD506D2A2020B9CC544BF02748DB81A1B02849E52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:19.513{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:19.950{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B0F-6442-8006-00000000DC02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:19.950{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:19.950{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:19.950{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|