23542300x800000000000000021864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:40.647{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCB41E9A1B6C4E178974DB12C1D77D0,SHA256=3EAFC8C465A66761323C7D9085B4F732A01DA0C9816EEC7FB934597465981330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:40.491{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C4E027F34998AA497BFE8ED3679A48,SHA256=D95957F87D1ECCB14756068B3795E5B56367C4BF9D682E81387E946776F05323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:41.746{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4737753AAD5E133D65A30DE1D035E534,SHA256=B989F13004A5E4D60602B6B472C642D7A9361EE7246BA8602D0BDBA9D68C6DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:41.509{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5465C802CE6ADBFA219BC603AFAFA258,SHA256=227D2A7B494F16C37E0F2328209F9B93FFA95708B55D3BF9BB2971B7BEA83BCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:42.879{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B391DFD51574A0DEF6301C27A98DA19B,SHA256=9A4DD583B83B6E70A37FC5500BF6C90D8DB6FA1819C0907E1D225970C4C67F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:42.629{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03AE2BD63BFDA1042741CBCDE98CF74E,SHA256=0A233833DDDA6ACBED6B846C09FFA41794FEC821F4A553C6585DDF4E9DA200A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:41.388{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50398-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:43.683{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCFABE5D62AB807EBDCF8FB61CEAF2C,SHA256=27CD2600696913C3FF7A0780A6A11EAAF32FD1E2981EBA52B6A219C291476DB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:39.306{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65358-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:44.701{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE1E519F8EF94633240C4D07699DC8AF,SHA256=EA0A17AA91DD70B4442380D1C62199BD039904D1A55C27EB066199654BA6A3C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:43.998{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9BCA390E41FFCDF09219E48AA5AEE45,SHA256=AAF7B1D8E495DF3FC23AB26DBE554D8640C96D1F78508AE26F70D0412FD9753D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:44.115{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=6AE70C80B9414F64D22B74C37FB1A753,SHA256=00557A99757EE7B6376A4FC014EA8888F03E080118A6707F5040AA8D6CCFEA48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:44.115{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=EEDC9FF5E7F2D31913516146FAE86984,SHA256=C6F32341DCDE294EC4991D149566D83CE3797A32BA440A8045E1A87E17F1B7DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:44.115{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=7657411E92B17ADBBD955B4BCD36DE67,SHA256=7703B0A9147988CAC10DB625BE725FBA67D72DFB0B2FF0532C6BC0AD67F6166F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:45.736{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266F5F1827D46769230773F5E3C68022,SHA256=5526CAA9C34D169C4C13698465579290BDEA2320CCC20A32BE52DDC0AE35E9E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:45.028{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53E14744F267FB936D986568C7E1ED53,SHA256=68F71D7FC5953BDC92C84134A8A0FD714ADCCBA470EC1902B5DF60D5EBB95007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:46.790{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E91224D893F495E29BA2A4B80906DB0E,SHA256=554476B37608610D39A2FC28884EE10A7F68872A0A51958686FCEE727F390DB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:46.060{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC8CF42CBC87AD9CF2662AE7F58E0FC6,SHA256=D8CEDC31175663785BA8E2BB98137148BEF8954D1B5E3A34CE70C64FE245E855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:46.538{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1500-00000000DC02}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:46.537{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1500-00000000DC02}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:46.537{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1500-00000000DC02}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000026871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:47.833{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE4D69F413E93C50C9BBF6D74C60B58,SHA256=46EA7224C8D11A129DA879939A62AFEDBD8B14266982A5A07F435C2B048CF846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:47.159{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE0D4914AC520E58AED607F4C91608F,SHA256=189EF8CC9B5C478C7B3CFB093E21317FD862F41A70A09C95A5540800CFD2ADEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:47.108{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D8DC2E91218AF8D46C18F020366776B9,SHA256=1F252E206511DE829D540CEA94FC72548760D9E85A38378B53C20C7208525514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:48.853{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7373648FBF26A57709D7964195536AAC,SHA256=72E5806AB2028A84CFB8B805260425BF16B80D59774E7BD828E4AE1F8EBC2488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:48.192{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6F403EFCF291232AFA809CB85DCE57D,SHA256=1B29FCF8177444A217E1721944305A9EEB979DB1FC248B6A9A033EFBA0D98787,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:45.367{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65359-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:49.879{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C3FD086B2AD23B987CBB1AA7FBBEF3F,SHA256=8AF677A37CA79AB270D04836B9459E86D2EF2522AB5E13874FBB2E4194DD0EE6,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000021875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-DeleteValue2023-04-21 11:51:49.595{223CB5FF-6DE2-6442-1100-00000000DD02}968C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BITS\Performance\PerfMMFileName 23542300x800000000000000021874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:49.295{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B75DABDA86F572C013787BC07F9269,SHA256=383BDA4CE76C755705C489A2BC4D7782D37D95890998C65B0CE6CB4EC61EAFFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:46.485{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50399-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:50.909{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0240943584EF7E156A74F88B8B0C0A,SHA256=F4DDBAA9C9C015FE88BA4C2D8FB1728B11BD974FBA92D9930CD9A5326A6C76DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:50.675{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=355528BE2E31D14F5F4E1B79CF901D9C,SHA256=C4FEB7DA5E1265C76C3896B971F83E9351F0FCB4BD36BAE7414DC46A973165A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:50.426{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B86181461F10CD6A54D7419B6C800E30,SHA256=ECBA637EC6C8D2B8AB05877C7B3909749CB7F07C509866401877D02F6A7FF0CF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000026880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:51:50.223{AF4EC832-6B63-6442-1100-00000000DC02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000026879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:51:50.223{AF4EC832-6B63-6442-1100-00000000DC02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000026878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:51:50.223{AF4EC832-6B63-6442-1100-00000000DC02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000026877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:51:50.223{AF4EC832-6B63-6442-1100-00000000DC02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d97447-0xa87a5b02) 13241300x800000000000000026876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:51:50.223{AF4EC832-6B63-6442-1100-00000000DC02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000026875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:51:50.223{AF4EC832-6B63-6442-1100-00000000DC02}688C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x800000000000000026882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:51.942{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B61A15DDAD24D71A266DEE4BF7B6A8,SHA256=EE0F78004483C748ABEE883CFD2A8A186DE3ADA5A42C411E4F95985295E0A486,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:51.474{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=192D454C05E8FDE9B03ABA0FFC2E24F2,SHA256=69373227F37FB3DFA0AE623376A69633F2CE998D0AACFBF9D2AA62FB275CFA4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:52.589{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=846EEB9CBD3B69761C3FB2F8CE9B24BF,SHA256=7A3AD96BF10D22D3150EC2A4AEA69BA599EA453065A6CD6818D5F5FD24773A60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:52.962{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAEE8C4FAEAD4D7D01F95FA45AAC85D0,SHA256=A7303D126A0478C99B540FDF5EDBBB6AE730CE3FCD8604EADF78D91E50BF2FDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:53.623{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE6CFB22717E452685EB4608E045B76,SHA256=B37FCD6E113234CC5AC94E898D273371D4451D43FFBCB68167B1049657CD5096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:53.988{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D1D0ABAB3B12863FAD215E30D858A0,SHA256=D4E693FAC6F0812F2DCA4B1FF492DB2655E417B3FD2EE3136C9C1638902A75DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:54.654{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB03C2FB5EADFEE80B8137D73A939D18,SHA256=66677E565872D64488A8710AD8CFF5DDA128C8DF3BDB36FDE2A292489782592C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:51.388{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65360-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000021883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:55.772{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C351BAAF5718DFDBD3A6D954849BDF,SHA256=E8E3489C37383BA4A74D3EDEC3A88B4BF45E2E36968C206511A8821766F0385B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:52.443{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50400-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:55.019{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0FB4B1FAEAEB79AC2E1F99A9550BAAC,SHA256=7F52F5A8245F96448A3F1BFD41AB3406B4177B3225A2132EBBC657941CF33180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.790{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53E7E3867E85401120FB43A1868E774,SHA256=A72D87A547DCAB4C0D1EEDD03D165F5A7EC49C9C7DEF1E455E982ED2C517F659,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.471{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-78DC-6442-E402-00000000DD02}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.471{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.470{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.470{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.470{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.470{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-78DC-6442-E402-00000000DD02}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.469{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-78DC-6442-E402-00000000DD02}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:56.469{223CB5FF-78DC-6442-E402-00000000DD02}5396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:56.037{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9EB3F1864AC2F389BF3C1D6E9AF6BD0,SHA256=04A7B84E53228D17E3351549C84CB629AF8564F4047FD15C1FC23779E4FC80EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.922{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE14E2F3F72B49446FC2D6169A58030,SHA256=7F7E87153CC7F1222AC81590448C6F7B4ED8B28381F75D44BD77FEAE91190E6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.922{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=74AD64A7380FE985F1914CB1B0842852,SHA256=747B58EFADC7F2CBAC67D3774901B442092379F05B2CF5A1C474FEC864D1E54B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.871{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-78DD-6442-E602-00000000DD02}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.871{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.871{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.870{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.870{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.870{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-78DD-6442-E602-00000000DD02}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.870{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-78DD-6442-E602-00000000DD02}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.870{223CB5FF-78DD-6442-E602-00000000DD02}4392C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:57.059{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F318335D05321B17214E5BF352E617,SHA256=EF9D2ECA44B5DC382B14900060F4D36FF1FBC7C6EB8715C51A51DD80188B474A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.538{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CDF4E4FBC543CDEFF774EF286436CA0,SHA256=FC10ADF69808B182A65B736C1A99652A4B2BD78AE52D6E6E623A22C05C4FEBA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.372{223CB5FF-78DD-6442-E502-00000000DD02}24366652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.205{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-78DD-6442-E502-00000000DD02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.205{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.205{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.205{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.205{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.205{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-78DD-6442-E502-00000000DD02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.205{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-78DD-6442-E502-00000000DD02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:57.206{223CB5FF-78DD-6442-E502-00000000DD02}2436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.952{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FCFB530057EB37D8A35CF4C031BB74,SHA256=5F9BE20F4E7E1496F2D517F5275B9288B936ED0753AA1620791DE7E405357847,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.852{223CB5FF-78DE-6442-E702-00000000DD02}44126804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.690{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-78DE-6442-E702-00000000DD02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.686{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.686{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.686{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.686{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.686{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-78DE-6442-E702-00000000DD02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.686{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-78DE-6442-E702-00000000DD02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.687{223CB5FF-78DE-6442-E702-00000000DD02}4412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:58.079{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B275232F5B5B14134B9688938C4874A,SHA256=3DB4F693930DBEB678A0EF5F7FC6D0F7A4401F024683F6459748D51F130B8087,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000021937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:51:59.988{223CB5FF-6DE2-6442-1200-00000000DD02}104C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueBinary Data 13241300x800000000000000021936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:51:59.988{223CB5FF-6DE2-6442-1200-00000000DD02}104C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\ValueSizeDWORD (0x00000008) 13241300x800000000000000021935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:51:59.988{223CB5FF-6DE2-6442-1200-00000000DD02}104C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\KeySizeDWORD (0x00000000) 13241300x800000000000000021934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:51:59.988{223CB5FF-6DE2-6442-1200-00000000DD02}104C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\TimestampQWORD (0x01d97447-0xae4c7d74) 13241300x800000000000000021933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:51:59.988{223CB5FF-6DE2-6442-1200-00000000DD02}104C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NetworksBinary Data 13241300x800000000000000021932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:51:59.988{223CB5FF-6DE2-6442-1200-00000000DD02}104C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\NcbService\NCB\KapiNlmCache\7\NumNetworksDWORD (0x00000001) 23542300x800000000000000026891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:59.364{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CA6CDA95F57C27579D14BE07689904A,SHA256=796AEEF8D806CDA430FEE3D7A0E017D487FAF406C70AB2A0FA14EAA20E8257A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:59.105{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F31A6D066AF25AAF5F022E674B342EE,SHA256=1E9BCC8D89D38135B8451E452045E7C4CF20F3757988F2289CF6CEC8CB28AF62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.572{223CB5FF-78DF-6442-E802-00000000DD02}64803208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.353{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-78DF-6442-E802-00000000DD02}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.353{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.353{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.353{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.353{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.353{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-78DF-6442-E802-00000000DD02}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.353{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-78DF-6442-E802-00000000DD02}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:59.354{223CB5FF-78DF-6442-E802-00000000DD02}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.924{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-78E0-6442-E902-00000000DD02}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.924{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.924{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.924{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.924{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.924{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-78E0-6442-E902-00000000DD02}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.924{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-78E0-6442-E902-00000000DD02}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.926{223CB5FF-78E0-6442-E902-00000000DD02}5236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:00.007{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F145FA599B0475B65C3ABDE6343F0A,SHA256=D14D821115678C702855B4BFDEFEC3D833A1319015060C197D8EECD08EA5588E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:57.205{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65362-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000026894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:56.445{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local65361-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000026893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:51:56.445{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local65361-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000026892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:00.139{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCE5E121D4D83B37E6E70D1B96A0DEB2,SHA256=44510CC286DD3692F84EF914672ED5ECB7D23E153D04A91836D26034DC4BCD6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.495{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-78E1-6442-EA02-00000000DD02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.495{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.495{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.492{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.492{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.492{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-78E1-6442-EA02-00000000DD02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000021951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.492{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-78E1-6442-EA02-00000000DD02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000021950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.493{223CB5FF-78E1-6442-EA02-00000000DD02}6884C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000021949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:51:58.456{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50401-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000021948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.109{223CB5FF-78E0-6442-E902-00000000DD02}52366800C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:01.056{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A5AD3662BF24B9BEE6C7BF39FAB46B,SHA256=DD357B6B1C71CFAFEDB72F26402A5E949B9AF90782D299FDF841F65B18C3AC1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:01.172{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C13F85893C0D3A65E5DC95EC0477DFB,SHA256=D62649F3273A1A247909610B2D82664C57F0DA4B59D3C71D561ACE052103A08E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:02.178{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4BFAF0FCF07B99C844487C02DDFEA10,SHA256=F5F70E91F763E4888AB1C746CB75BEEF2F35D80CB438D65D6B184F9BE94EB0C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:02.192{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE03BE402C81AB06ECD0370B46D82AD,SHA256=11FDC6232B83BF8B802CE3B56BF9CA83272E5816B63532B61CAF60FF116EB63B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:03.214{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D622CC60F3393CA10EC501F839ECE5,SHA256=A60F2D52AD8502A501DD0438A6AB7EE9000F76DE4DC91B0DDC38901F94AF17BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:03.219{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DE6ED0CD3FDE8350CF966E1BC6256B,SHA256=7E43ACB3EDE6DB64358B3C8EB36FE6BD0341A40D1245521D0A3AFAF24B87DC49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:04.233{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA666BABCD5D5C7C9C423B7DEE9F0FC,SHA256=F7C4F2F159ADF7B740C6C40710876D6F342732FD220F97406FBD7729683BF172,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:04.297{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF7E9F02837EBFB137E77AF88C70337,SHA256=6F84F562ACCC3A6C89F692A76268D7EE249A5952D616F6FDF090FFDDC98DD250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:05.366{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADFE82688293EF0E3BE27167881E1901,SHA256=1D0CDD7B275F8CA1032E492E16A7FF37844562F3E26F24875F1BEB77599EAFAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:05.323{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09BBA5F5E1F4494ED5A19BC3C3FD6C27,SHA256=07F11D8DD827BAC0F9EBDBD62D5435A665FFFD0F9D3022B2DE0AF6328F8650C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:06.437{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59A1985F4C70E99346B90BCBF09276E3,SHA256=388ECE5610A59774DFD1A71B9023EA264D76E70E6B30A41D17E08EB2025E1DC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:02.289{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65363-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:06.385{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FBB364AB724267366331FD22C852F8,SHA256=2762FFE86E7BEF87D5CA44B59F040439A5B2D37DB3B6C13F951E45D03C6E023B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:07.856{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E7A767B62E5ADBF5F352EE507A0EEAE2,SHA256=423435C8EB42779916C1F8D9C4E4BE86FD31BF02291F30AD978B7420CBDEB40E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:07.556{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46DAF329DBD11214F935F18EC54D7BB0,SHA256=E6D418CC629FD63668B514E3FAD32D67F381A3276D7BA0F5F639A9A1ED3D5B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:07.428{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518131E3754999032F16CE635078C6DE,SHA256=E194DDE77E95F2D420BBD955C82394CDD171571ECF11ED975DD3B43A12874327,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:04.338{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50402-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000021966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:08.591{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020890CE949CDA7CA27A52C43C59A720,SHA256=C145080795837BD0A3F6F851D4B6F3078103B236452DE53E69EC17B35509E68B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:08.459{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACBD61EFBC13A1C57B5F1C53CFA45B2,SHA256=5C99BB135040572CE3325DE94223A537FEC9A7899385E40686B911BFA7A07608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:09.630{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79C2D9919744DF9E5666DFFF3157B25,SHA256=1E6F46412FEDFFFCC25514D53B5A5916F55E76591468942C3D14E9972C6A6862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:09.509{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E875E4CE838D0C74E7E8C004A0DEC8E,SHA256=41C4953F247397B15D83CCF45386BBDDB41C41EB189AC04654C20BE9B5E78E5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:10.663{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C94CC1BC16359A66DE00070DAADF2CFB,SHA256=799F3AD6C3B46F525038C996853BDCDB2E58AF2D3FC189E08CF80096A63170FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:10.536{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF876A6AE7D31E743CE1091A0B98835,SHA256=A64CF9812370EBDE1FE78D3C3DA90289BE5507B7D11FDC0FE80BE901E79A1342,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000021970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:10.447{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1400-00000000DD02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:10.447{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1400-00000000DD02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000021968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:10.447{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1400-00000000DD02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000026906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:10.165{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-055MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:11.681{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBC51B6973573008AAB48F5A24EE04C,SHA256=E5B1F8061E64ABA5911D0C5162AC8407E6D103C2236858D5D7F52D4A369E7DB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:11.615{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39FA3BC56AA1714A346FDA3EDBC895A4,SHA256=D2A928C23E17791BEB509EC391DAA482EB4D82C2896112D20D6F77DF3583D649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:11.166{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-056MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:12.702{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE28B809074D108BD02F16499BF77B1,SHA256=2E7B68207E983CC3992BFFD8A92D5D9B3FA6A9FA108E1B2A6D37B5E3ABAFA95D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:12.668{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A57A5C6674EBE2354A1D52EC8AE053,SHA256=19D61F5274FF685977D34D9430B4A95031A216FAA8BACCF2AA84C5545D2FB047,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:09.400{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50403-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000026910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:08.304{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65364-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:13.702{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46AE67ABEC06047BA2C3BEB7DB7F3BAF,SHA256=640FC81E138263645E4BA69033E6C0380E9A208F509ACCBF3D6E165ACC375405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:13.740{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08F031E025D5B1426E3CEF5E0DFFB16,SHA256=9AB131A1DC0F278F8A668872CC2715E6BF0F95A743BDDBCAA1C59A9C71A8227B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:14.722{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7F982E62408E85908928838E88BD77,SHA256=3B1FE490D1F57789B3C503B26246221638E1CC92A036A167340B3804F1AB6664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:14.773{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E982492C724C5D1EAFD9D412DCAFA75,SHA256=1045C722AAE04B1AD3A1D97067D92E8747345CDF47036679825F4C87D69AC05C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.776{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E20EEB762B64E6526E2F562BA03BB48,SHA256=44A5652A83D445DF2FBF78A99AE34EFFA3011A7142B23CE40374592822840DC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:15.827{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D711C7B2F3009DF4FB24942AB7F1487C,SHA256=E231629D85E835C6B991C2B6974E584172746997F9300907027B52F06039E827,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.175{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-78EF-6442-3B06-00000000DC02}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.175{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.175{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.175{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.175{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.175{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-78EF-6442-3B06-00000000DC02}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000026915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.175{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-78EF-6442-3B06-00000000DC02}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000026914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:15.176{AF4EC832-78EF-6442-3B06-00000000DC02}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:16.848{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B152A67FFD7856590A7389A33C90F8,SHA256=66A079F423783A3EDC2660C19A6A71B6543CD8B0CC2D97E754F75AF88EE5D877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:16.910{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A1397FC4CF0824E4F56EC1C24EC662,SHA256=C9DBA94DFC84D9D6689C874F2BBFF81B6AF3C138868AAB86FED7056F7C21EAD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:13.387{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65365-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:16.253{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67D637271CDEE22396653A3EC0396548,SHA256=29D7E17079F3059BDF96A2179C422ABB9E2FF462FF21995436446BD0FB0984D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:17.967{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C593491FC87EFF2DEAA3A24A7B7EA3F3,SHA256=C074C91D2F49CDC5E5914455C45DA4334AA286E6CF0513AFC6C887EBBA488C68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.980{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376B81634A8657ABDC9E71882FCD077B,SHA256=4A501AC9D309967468CE4AD07DBA29AFDC94DFAB20DA9F6A88BB2DAB07AC6FE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:14.513{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50404-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.536{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C54DC49D6C8C735587ECF9BE9B838760,SHA256=42328C180F36DB73C17A08CE3AA2DD9213AFB5754A1BD7DC48F83A45D161556B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.511{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-78F1-6442-3D06-00000000DC02}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.511{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.511{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.511{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.511{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.511{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-78F1-6442-3D06-00000000DC02}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000026936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.511{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-78F1-6442-3D06-00000000DC02}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000026935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.512{AF4EC832-78F1-6442-3D06-00000000DC02}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.234{AF4EC832-78F1-6442-3C06-00000000DC02}50084360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.010{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-78F1-6442-3C06-00000000DC02}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.010{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.010{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.010{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.010{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.010{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-78F1-6442-3C06-00000000DC02}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000026927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.010{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-78F1-6442-3C06-00000000DC02}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000026926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:17.011{AF4EC832-78F1-6442-3C06-00000000DC02}5008C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.253{AF4EC832-78F2-6442-3E06-00000000DC02}68326524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.065{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-78F2-6442-3E06-00000000DC02}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.065{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.065{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.065{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.065{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.065{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-78F2-6442-3E06-00000000DC02}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000026946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.065{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-78F2-6442-3E06-00000000DC02}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000026945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.066{AF4EC832-78F2-6442-3E06-00000000DC02}6832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:19.372{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-045MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:19.254{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:19.017{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF94C0A549BFE33C09E4F8EC27573218,SHA256=A0993C104FD6BC977A20AE2693486F7508980985AC142E6FBB73DE9C16A7576B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.837{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-78F3-6442-4006-00000000DC02}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.834{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.834{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.834{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.834{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.834{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-78F3-6442-4006-00000000DC02}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000026965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.833{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-78F3-6442-4006-00000000DC02}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000026964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.833{AF4EC832-78F3-6442-4006-00000000DC02}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000026963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.336{AF4EC832-78F3-6442-3F06-00000000DC02}44326452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.155{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-78F3-6442-3F06-00000000DC02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.155{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.155{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.155{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.155{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.155{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-78F3-6442-3F06-00000000DC02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000026956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.155{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-78F3-6442-3F06-00000000DC02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000026955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.157{AF4EC832-78F3-6442-3F06-00000000DC02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:19.099{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECFB33DFE2834765FA40AA7BFC6598B0,SHA256=660DF734AC238780792A3099867509584F926BEBD1A73582CDF977C65BB5E3D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:18.542{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50405-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000021985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:20.374{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-046MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:20.138{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B18944BBC65B50238E59E38D4DB660B4,SHA256=1B3309555CC887E8FA532C96620ACBD6A7E2216E423F29F6EE7B7469DE71E3E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.502{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-78F4-6442-4106-00000000DC02}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.502{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.502{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.502{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.502{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-78F4-6442-4106-00000000DC02}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000026976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.502{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.502{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-78F4-6442-4106-00000000DC02}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000026974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.503{AF4EC832-78F4-6442-4106-00000000DC02}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000026973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.117{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97BBA74A234021FB7D46FD04BD16CB60,SHA256=D747346678E6FCA85BAC24B10553D4AFE48E19FCB32894043706E7A95575C3BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000026972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:20.042{AF4EC832-78F3-6442-4006-00000000DC02}70842360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000021987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:21.174{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F123227C688E3F78CC93EE604354F791,SHA256=D54313F18DEE6E1658045F070DFE53FA660AF3FA34D61BA383FAEF8401BE90C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:18.398{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65366-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:21.562{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EA061D4592458C5E7FD68479F18B572,SHA256=EC2293039374519A8AB5916C24A8410E2F06CF003286E426BF42C54B3066D8D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:21.161{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2048146407A2B14509FB459A831FE4E,SHA256=DE55BF764BA032B5C574BD92A2B0BB9A8069BE14DB6C06B9DE0257339BA93B05,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:20.494{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50406-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000021988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:22.225{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71559AAFE58BB97B214E27691E4B7056,SHA256=2EA7FB64A5326953272BE185FEA3ED3C7370E5A229906782800EA585E68AF5D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:22.191{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EA33440BAFCFF3A73EFF39BC2307834,SHA256=E0D486C6E2063D953320AD6F0C8FB724D7B6B509229EC2AE8DD370E37A7FE935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:23.278{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76DF537F1BF46B2180E3F500D0F01C5E,SHA256=B86F29B7A57D5D6EFCC3A6F83CF2A4403789AF0241A5C47A75852B689E75AE06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:23.310{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D193956052E4F2CA9C2D468967E24117,SHA256=A4A9FF5CDD683D116A3EDA9689D7009F322BAA2A0D266EE7C72C8FC00E57F2B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:24.296{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B53B26E393F252C0C91C3D88123648AD,SHA256=B9B6E822CCF293B1708C8920038E975F3D88F4CF16AFFF76C99E5642362FE385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:24.328{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF4CB9222ACD696927E85EF83C59A34,SHA256=444296ED3D160971ED2986C40A7ECC39C4D957AF423B4C27328FE078E7106859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:25.448{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68B4CB5E3B3FBB421048FA24412DA8F,SHA256=46C6426F629F4BD68DAB179DE54DD68A84C983A88604598C9E46918DF6161A9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:25.315{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FBB36D3C0C9C81F48A901F5CA2C2938,SHA256=6C578CEDA8E16B280A71B16259BD9E4EB8A906AE9C9CF7677DB7CB5188C00025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:26.502{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89023F20E2571CAF9A192FBD626E93C9,SHA256=1D28A6950D99CCDEF710B7A1A0ABCC456792F2EC7363CF6EC26F1D9F12875050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:26.335{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14196A9D8A1C4AC05D008C174A4921A4,SHA256=E05374E749EFCCE555815FDE0237EC9A7EE73917699994FB08BB19AC6669951B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:24.239{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65367-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000026991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:27.536{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD2C55C6B9E123F995DF192C176C89BD,SHA256=4246324BE6DF695B52B633F49664A179A8816803D15493B2B5E92470CAC6B5FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:27.990{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8BF936ED99BD429DD2D4830579657A62,SHA256=F6434EEB91099E53B52832C28DA86B9BA16D2D1C09E2739F454E431F78931025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:27.355{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D74C580B7A9F9A09D6096DF453FEF74,SHA256=DFE23ECEC6516BCDAE34B734229D72CB40E0BDA4B8CFB6073A538ECAD0B37C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:27.304{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:28.391{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FBF7730EB4874045C19F8D9250D140,SHA256=055E331312B6E774CE4218BAE79838BBBB4D05C8ADF9F6211FE3B8466E3EBDA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000026994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:25.414{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65368-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000026993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:28.557{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE861984BFBF28BA91ECF9675B64C43,SHA256=5C588421EDB054EF1622E2C821C5CA3B3EBAA3599FE22C5EED4295247D09099D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000021998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:26.493{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50407-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000021997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:29.409{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD7C48B158A5F188F6532301C5CF2AE8,SHA256=5D4CC999ABBE28D7248BD30ACE5650FFC7712EAB0BFE7B0D9A3FBCFD36EA5C13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:29.640{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=551BC8AA5A1B94C85EE5E1523664E6F7,SHA256=A51F84FF7FB9284E9733FC591EF5A29C170E9F8D267095DB2A634EBAE0910E92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:30.760{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DACACF571F79C414950EE703957CDE17,SHA256=A9F5C6768AE463B5E9B64812B09983C13783D95F2208948F02E5864F4048D037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000021999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:30.445{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E03A1DC262F843CE9E442CA4136C6E,SHA256=F0CAA4FA88325F9F425DCC913D2B7ACC7D4653A37511765E7D47305C4EEA7786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:30.195{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=86471DEE75EAB1E83D0D00CC9E3620BD,SHA256=7C31CBF5891B30726731EA046B61EDDD1A4F006130F39E59B31F7CE0846A17E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000026998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:31.845{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A989A5FFA29A53C43FFE20D73CF681,SHA256=39A213E92EA907C8DB61A291BE2043F1FACB527830F63A116D64AE34ABBD4E22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:31.464{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A63A66628B505B3262C52AEFF791C4E8,SHA256=7FBB4F11FD53442292A90827B352498A581949EC772CE0524A3D6CFC2186F47C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:32.601{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186A78915D3A77004832625B038E4F25,SHA256=5BD3F5F7E456902C495B83A8C059FAD65F2E6B1536814C7C26F23F258D4AA8D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:29.251{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65369-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000027033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2100-00000000DC02}2448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2100-00000000DC02}2448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000026999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:32.086{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:33.619{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5DA3025C445F4B00981DBB7EA9636D2,SHA256=FFD6CE2C044B9E1927D9FEC8ADF85ACAAD7EB9B356C0976F162247A8619111FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:33.088{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D227DC8C2FBB61182DBF8170EFBD3AEF,SHA256=8EA295588DFB6578030E76BC30A75229F5C31A9548CF56CBBB89CA86F0DF5992,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:32.356{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50408-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:34.654{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CEF7CCA0D6D2FDFFDCBB72CA03F232,SHA256=54F55FA60B234629F13019DBFBA01BB2E148654E9FDB9DC072A1CEC817DF2AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:34.119{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6731B130B4188F28EA5B0F359627D80E,SHA256=29A712E469F034B16821B1118317BE28E55F870481AE25B80D402CF24A2B59AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:35.674{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E44D722D13A1548D6E98139EE2500D,SHA256=8AF6558067F748F644AB7D88C49CDA80B9150B5F3EB71996A8ED1AC05E0E1D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:35.137{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95C6000F9A2D1C5E4C662B367C7B14EE,SHA256=6BB7228BBE1FF1EC7128D420964985B14002D526C91F603655CC050469BF1B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:36.710{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA082064A5C23DA044AE3A3C0FC6D82,SHA256=80C5741497BC58B8BEF785993EF49AD6C24F5DDAAF7967BBD3C893A57F6BC12E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:36.156{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E11F72258A60981920335BE35EFA22,SHA256=89549C680C82E118EC9A195D61617F928F5CE1F1C7F4C072BE8425654F2987A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:37.778{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3DF259ECCFC419D85AE8B475AE1994,SHA256=BB0ED9D1E72D8C2DD1FCD0A88A73D8673C9C92D4E06D2C92316FAD85A639ADC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:34.362{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65370-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:37.227{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F12A2D85C716B0E0C5E10ABF088C9C68,SHA256=A9D796782F05C430AF429EAF5EBE74D69ED06843AED21CD28396B5D3B96BD965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:38.830{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DB3EF0A1FFA6DE319E376F3BD7538C4,SHA256=9B0AB84985B0C881B7173F58AB2A83CD0B609CFCD0FC579C975BBF729B0733F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:38.261{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C325B59BB0688308FB54B405B4F2856A,SHA256=73D3CCEBB3745740DAB55CB8C34B8B9DC7123FDE256ABA4A937FECE4ABF9FA48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:39.865{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733EB766B16E5408E4DCDAA5E06BA13C,SHA256=265C4C7872FD776C98310ECEB291B06578E4C3D5D99EB3A2F6F42C9811F36ADA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:37.385{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50409-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:39.304{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA3E61502B4A31C4EBC4A3CFE29CD95,SHA256=558C7F3ED26030AF2060786DD472C70E5E37A7C435306E443D27735423E08693,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000022011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:52:40.750{223CB5FF-6DE2-6442-1500-00000000DD02}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d97447-0xc6983742) 23542300x800000000000000027043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:40.435{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A92E233F622260196D305197919981,SHA256=BD3272D929424E18C3D06CE7CEF671613A9C615B8E26C0C9282587E1A83433DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:41.004{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E2F59523ED7C9C652DF3E799D4FF28E,SHA256=5A2218587E401C0CEB09AFB1C6B1256AD4AEB20B68F30BF8C8D75ADC8EC210DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:41.454{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6A87C8709B07A1B4BFF6FC66F5B086,SHA256=0EFE90B5611BC83B9C55CA801896A38624C37ACBF8911F5E116814D39BDF276F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:42.038{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB1F5AF1C710AD40CA216517A9B9328,SHA256=89B93446B46DA4485720DB8499F4AD52CD71D5014CB68E20140C4794EBBE28D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:42.572{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6AB4C568A2A98D97C8F69180A9AF45,SHA256=416D725BA41F29D68E2F0EAB49648DB27699D13B970903A92A157375F96B004A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:40.362{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65371-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:43.598{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF41525B665E1AAA6104F6E5BF8F3D01,SHA256=ABBABA732D27C9C623B9079CDF6D2C50C8B12AE0E147BD5ADB8B8D3D452E9778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:43.157{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5A3D7AB7A69BED456EBB31CB66F17A8,SHA256=AC9263183282EF2B5A0B2183DE13C8E7F089DFA26699C94ACC7835BD99469C08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:44.647{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=297C1FECE6B4E0CCDFBEAE5B2753A64F,SHA256=7FEDFBB71B2F8D08335F4EB2D913DDF17AA7F0557CCA3CBAAA9D32B5593AA16E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:42.528{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50410-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:44.176{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=852DA0B0A0A08A3088AE786918146214,SHA256=CC61A0A440864165953FFBF0367E287707309B56B0DDFFED0C3255CA0B051B33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:45.197{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=307221BDCD8BD8D43B8B137A2D3EBFF1,SHA256=1908A7FE98D00D57C1CFD91B5F1D2049A1EEF2C65B41F6692270828B3A6319BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:45.665{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFFB996161F57D1B90E871AC8BC4CF7D,SHA256=21DB0AD9028E422AE4BC12145070859B1EE07BB9491CF818AAF9C8E64D0418D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:46.701{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282B634BBFC33128859E822F7B84119D,SHA256=81CC24A947F00B9E959B14F389488F71A9B5F0A881A801AE5E33B9F9E3B3925F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.283{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1A00-00000000DD02}1928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1A00-00000000DD02}1928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.282{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.281{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.280{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.280{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.280{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:46.233{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF7C5F09CCEAD776657C303B41282B92,SHA256=57A8D4A46D8762D584CC477AEF9BDEDB7AAFB8A1FCEF6FE36E8A355848762019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:47.567{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F85308CC61A9B35542CC6034297E01,SHA256=2199C418F7A64D4C3185120ADBA4093B3FCFAB41403AB84B2AD4351A78C87B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:47.803{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1491C88E2F248D424B4E30B1A43F53D,SHA256=9C2E437BF22AB8AF23639CD51B2E3DD3592B5D00E8E00ED16D0C3AF5FB623705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:47.753{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A9E58DCD852FA186C18B29DEB8CEF958,SHA256=69652D1C6E3332447A84D7D341E02654B43F9ED3A76447BE0236A5DB75CDFCDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:48.803{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFED5D98AE42DAB6E0982A230A98F2E5,SHA256=CC7426DCBED6F5C4FC0B55B2795C0E9574FAD33886EAE0E255823A23FD858B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:48.687{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8450825A40AF842336FA05D21A439E37,SHA256=E423F9229C76FB71FD175BE3EC1A28C5BEBBC07EDDBDF464F7F95F7EEE7A12E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:49.840{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=842C80BB9536757FE7AF6DF17D215CF9,SHA256=C22BBE467300FA088482637D7C486F153E41C95768458C873497A64E59DF56B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:49.725{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E065438B4AAE3B3D79028E851C9F3DCC,SHA256=C79D193DD7D20745E82746F3E747CE490D2C594348ACE9640D8DA42825C2C073,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:46.290{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65372-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:50.930{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B09F838D95B09B4FC0333E8D59CA5BE,SHA256=C3B7C16287AFB6B2617DFD800895C6B6A6BF67C112B422DC42D864992B0A9A21,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:48.342{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50411-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:50.743{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A45136BEE32B29FF335B388BA97A188F,SHA256=84923D6D5008F82C05F1B69D5DF78BA2D590D3F8E1DD7A8071E1E821E7CF5D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:51.777{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E660F69AD1FB04AD5E8E62DEF05E48,SHA256=C36F44F214ED33A26EB64A7EEBAB4296808BCA3D0A801B436FF99172AE3D8229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:52.796{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7212346FD584FE44BDF0B7A37F431F7B,SHA256=B9BE9F34CB1FD36F137E1850F18CDC61360CF0A63137921F79EE78EFBD291EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:52.007{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90CB1A6ED4E47ABBFB8D4DD276620097,SHA256=D9C4ACD7325482C0197651400504989D42D51568289EC965D82876AE7CF8385E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:53.817{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C2576B201992790EFA6149BF9E85C0A,SHA256=E88C3BC2CB0DFABFA362EDA1F726C38BF701126F8E9A9415E1A511FB9F49EDA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:53.108{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81718F665BB5E4ABC9F585698EE8AE62,SHA256=F43307099CAAE938A72A5F26F3B16581A1DA055AE57D685B1C07AF4EE0B80ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:54.938{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB8AC754D28A830C7033FA4083C73A4,SHA256=30C0B270F1AD6BF544CE59BE15F840015301A027757E08024A43B6A3EB4FC689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:54.209{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20DE7D1C551EB322368A05C8E622C377,SHA256=A1506C559F226F88FDC651DBBCA47DAC0E16B8E149B54A55F2BF5878E4ED75BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:55.956{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFF63BAB43022EF4383ED7C39D8286A0,SHA256=9CAD24EC0809F904CBD6F0824536B1AD1586F34577386D90E43DC0A6D430CC75,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:52.269{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65373-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:55.277{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DA20D1191F2C9009D12C98387791BF,SHA256=1CFEE376F2071EA02B83C443F0A1D92AE3278C0273B9C2EE5047B2CEF1B57E88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:56.412{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0EBC994D005B07791514F33412A158E,SHA256=CAEB37739BFD09B8B54043C26944A815D7FFCB4E165B2EFEA6ABC47F9A1487EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.388{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7918-6442-EB02-00000000DD02}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.388{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.388{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.388{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.388{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.388{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7918-6442-EB02-00000000DD02}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.388{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7918-6442-EB02-00000000DD02}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:56.389{223CB5FF-7918-6442-EB02-00000000DD02}2336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000022061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:53.505{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50412-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:57.513{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B873342D1698DCA66EDB449C01AAD0E,SHA256=5B92FEC5B00E81BF119D89BF5D58DF544F087BB661962F9E1EF732688312A34D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7919-6442-ED02-00000000DD02}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7919-6442-ED02-00000000DD02}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7919-6442-ED02-00000000DD02}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.892{223CB5FF-7919-6442-ED02-00000000DD02}6704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.444{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9B9999B10F395BEAB14EBEC4DDA3068,SHA256=ADB2B9F9137234EF1537D43885F2D9C9DC57FDEA13AD86195E033219DCCC176D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.209{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7919-6442-EC02-00000000DD02}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.208{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.208{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.207{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.207{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.207{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7919-6442-EC02-00000000DD02}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.207{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7919-6442-EC02-00000000DD02}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.206{223CB5FF-7919-6442-EC02-00000000DD02}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:57.009{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCB714ABC9E49ECD078E7AA63A030C82,SHA256=311BA973FB55E8FBD6DAC6B33ED9F251EB88A72B923EFF3AAEE0B5549B62FB81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:58.665{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A578A4AF7D91BE46A40E18FAC25BBF2,SHA256=DF7D79D447042472E2F258CD6D58D052506379D72A58DC2C1948D7BCCD39D5B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.897{223CB5FF-791A-6442-EE02-00000000DD02}50686996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.681{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-791A-6442-EE02-00000000DD02}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.681{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.681{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.681{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.681{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.681{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-791A-6442-EE02-00000000DD02}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.681{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-791A-6442-EE02-00000000DD02}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.682{223CB5FF-791A-6442-EE02-00000000DD02}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.330{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=655E34DEA7D9F93C5725A825AD9DD360,SHA256=AA1EB5F62686526C9552CC83C595247472B611B27A63337E5F4E6BCA20954054,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.064{223CB5FF-7919-6442-ED02-00000000DD02}67046684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.048{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE8D243A2D899DBB33A324E1713CC2EF,SHA256=CFCD552AAA097080BEFA347E9919F9CFE9397FA1A4140B8096717C8B4D441989,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:56.473{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local65374-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:56.472{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local65374-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000027066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:59.697{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F792E3B9E61D0300C7B63B2C16B48B3B,SHA256=D840CA0FF8605716F9440606E73A746748A71FB46AB0BAF6535CF176841EC3EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.452{223CB5FF-791B-6442-EF02-00000000DD02}6952292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.266{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-791B-6442-EF02-00000000DD02}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.266{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.266{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.266{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.266{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.266{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-791B-6442-EF02-00000000DD02}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.266{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-791B-6442-EF02-00000000DD02}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.268{223CB5FF-791B-6442-EF02-00000000DD02}6952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:59.082{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A59AB0C4B01094A48629B1B21257CE4,SHA256=5E0B031933711FCF745C6B6A824E8C130EB7276102F160D499A4163A3516FDF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:59.366{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60BCF872CC16C81CF2973ADDE09AF05F,SHA256=6547B57F57CC1DB264B15B3FB390841CEA207744889D93D95CD58D05459218F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:00.802{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF1DD429FBC41217464D0466510E1FE,SHA256=3257BF03A31A664097D890FEC737F39A31580C363A5CD5BDFCA3A3CD938B14D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:52:57.331{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65375-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000022118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.921{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-791C-6442-F002-00000000DD02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.919{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.919{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.919{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.919{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.919{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-791C-6442-F002-00000000DD02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.918{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-791C-6442-F002-00000000DD02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.918{223CB5FF-791C-6442-F002-00000000DD02}7132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:00.119{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF54A19357C7D3A694EB1419B3F7A46C,SHA256=687A8001FF709D66E5A832A40ED1EE7948279F7D92D175FE898F877430A24040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:01.945{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B199C169126F064E78104561487229,SHA256=6FF926347BAC59B7D0AB10AC20AC717A7419C4BD80E388C8E7CA62EF3058622A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.487{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-791D-6442-F102-00000000DD02}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.487{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.487{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.487{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.487{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.487{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-791D-6442-F102-00000000DD02}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.487{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-791D-6442-F102-00000000DD02}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.489{223CB5FF-791D-6442-F102-00000000DD02}3496C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.171{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D39C638B831206737F773512555A715,SHA256=75E2B84D3C4A083F2D122C4541E0AA227197D7247AAF868B1ADC5DE738EB4BCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:01.156{223CB5FF-791C-6442-F002-00000000DD02}71327136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000022119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:52:58.519{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50413-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:02.207{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB63A2EB08509F306F282687224332EC,SHA256=1F61B33ED74FB6494490BE91E2E5F08572FAA657ECF0026936E6FC1870E32E45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:03.343{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C67DCFEFF15656A58CADBD7C7D80EF,SHA256=1B3D5BD65B0E00B62FB8ED08C3E723A1CC4F930C1F621BF98C22D24874639989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:03.047{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D9ADD967EAE3B1D06B191889867EA6,SHA256=FF129E597657C439A3353D52BA3204D5D991DFDC09C41A2E23129FA5D5815F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:04.377{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379A482BD70EF5CC96A3C44961B8D9CF,SHA256=660B0F79DB70703E9C8DBC343F75E27CB6FA92EB2D6D1729C6B0A3A75C7419E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:04.106{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18C50780381A4E55AF23AA01DF5C5CE,SHA256=CF6958E086666CFF59885A6DA1CE1F7D4B6EFFD7316B2981CC598B9F057A4708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:05.413{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ECE4B8A1197B50CAECBF2546A955EF7,SHA256=72A46713ACBB02D1272E404373A8541FC5598BE64586F9A962CA58794C66E385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:05.124{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C4BB090AC72D4F42E3CD8914DF9090,SHA256=2B656C319E65968934604453E22042A659616AB47C9704A449C7B1F881FB942C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:06.433{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21760F96969C55828B85DB588DF9A799,SHA256=E0EBAA6B0D6409CBE8C328E3938C281B5C6E6BBAC479A706FAC777924BD0ACCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:06.250{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30130A5BC12ABD02CC3642C0D92202F5,SHA256=9968DCE24B87169CE567A9F256D70B6CEEDE5EE3CE9580779A1842A27FE42BB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:07.870{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=91586DEC86502DD26218D27BFEDEC59C,SHA256=847FCFC4E2F6DCA1DC0994E72EEB7B0591FF27188D71ED58CC8D658582025ED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:07.570{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88FDBDF87B965D68309E06EDC369B6C5,SHA256=A98DCAC6BBA07D59017044CF27B199A39B507BFCF075A53C352016BFFEBE37BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:07.310{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B627084F587CE697072E8AD12ABBDC3,SHA256=DF7C4D60B4EB0C18252CBA3FE6FAD661B6F89FD6271EB63C1C63E1F98FE414FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:04.400{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50414-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000027076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:03.341{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65376-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:08.640{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6C5562B80CD10897B1A3ED3C9EAF7E,SHA256=9080933B14AEFE0AADB066B0DDAC35A1AB05EE85925CD4A8C89B27C913DD3B46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:08.328{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4116251155BA58C9FA1EAB3CAAA758EA,SHA256=9E9E5F61843FE950735DEF4D80CD4012C87877D6C478FC41B4B54D3C64182E9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:09.741{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A7058245BDD7C7B93C096021C884994,SHA256=AA6B6443FA618F3344D0AF2ACFD124B028F3973BF0F77CF39EA9470C006F2136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:09.429{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=300CB9D2A33D86D28C49AF325F31FBCE,SHA256=3E3BAF3738A43CF52D2896E11700534B9D348BE5A97F879AA248236EBF17642A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000022148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000022147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002c0db5) 13241300x800000000000000022146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d9743f-0x75757fae) 13241300x800000000000000022145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d97447-0xd739e7ae) 13241300x800000000000000022144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d97450-0x38fe4fae) 13241300x800000000000000022143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000022142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x002c0db5) 13241300x800000000000000022141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d9743f-0x75757fae) 13241300x800000000000000022140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d97447-0xd739e7ae) 13241300x800000000000000022139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:53:09.087{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d97450-0x38fe4fae) 23542300x800000000000000022150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:10.858{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=712C9B45C41BD54763B6E724DB0E3D49,SHA256=D829F23D667372EACC1729DE86CF68550EE04D9E6F5C3F2D4C67C84A3D57B36D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:10.531{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081CAA922019CE4B009A379B18EEDB73,SHA256=FE15B866A8BB3F94BCFDEA0FE4062C29A549564D5A4EA0BE663B61BDA95C24C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:11.958{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4ECACC5901CDFA8AF9DBAED452A5FE6,SHA256=9F4E3FEC6B664BFEC417DC4A5E954FB9FEDD1911466252FB4480B134D511E836,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:11.685{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-056MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:11.583{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB748BF99ABD84FE434A82D6369758FB,SHA256=9FBB016C16A8DA9A234DDBAB85B2A5042A807866E3366712CEDE5482FA4C5AE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:12.685{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-057MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:12.615{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431B8EC086740025562A875A95DABFC3,SHA256=881D1BDC0EDB8372FA51139F822A6AA6E35B03ED4274568D95694D86781381DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:13.635{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D6E8B7617BC0538757574902A720A9D,SHA256=CE3539ADDAA61FC7E92F03C8740974F3DD5904A3341109C933C29DA738283D91,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:10.344{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50415-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:13.042{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098A6A08C7630573E5DF2197139EE581,SHA256=BB2CA2152D583562A28BE76B26BC028010FFBA5131EEC4F4CD1C59744EBDCBB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:09.216{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65377-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:14.759{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18254A732448216540CD5FFA579FAB09,SHA256=FA67DFF0AB60F257EDFDABF99F5D38200EA27B6EF96A8D417378BEF770772450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:14.160{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2089B08279380191D51281A7BAF7EA6,SHA256=0BFA188B056D44EF03AF40AC5F971E60479240031DD24BE371BAB98645BF51CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.860{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC75684083CFD617CBE15F56BF3F021B,SHA256=B8ECBD8CCDA5E6291A4214AA9F5E4E90C823AE175655C4D648B8DCC0282AFFBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:15.176{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBE7DC3F4F3B7280253592885C24E6EB,SHA256=C219A8761953F0C5FB3D3C9F2F2700E8C3739E670FDC99DFB719FC8DC4559FDE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.186{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-792B-6442-4206-00000000DC02}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.186{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.186{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.186{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.186{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.186{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-792B-6442-4206-00000000DC02}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.186{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-792B-6442-4206-00000000DC02}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.187{AF4EC832-792B-6442-4206-00000000DC02}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:16.936{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CC55FF6CCCEA617C652C2AA6442AEE,SHA256=BDB586020BA5281CB3786A64954A655CB5F4DAD1E010F2AFFA26BC3406F59EDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:16.277{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6D0543D25745FA4A378D0C4049F82FF,SHA256=8226442D8075ADC98C8FD52A6C35BF019843D5E44B38B988C60678755DC5ACA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:16.203{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98873840D5338415431A6A57B4E731EB,SHA256=3EA923C00FCDB6409B18735C14BEB1397E1407C27FD8CFBAA825634A56861504,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.989{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57F56777CC582756B78E02F2A822A2E,SHA256=82D04967DB9CAE1134255420FBA61A52490B4769391A0D5393489BD1C406B07A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:17.346{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F718B0CEE6033200027E9E9D7288D6A2,SHA256=554396028AD2DB78960785246C6A318C95C4FF860B9D82268AE6F932F1E260B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.873{AF4EC832-792D-6442-4406-00000000DC02}54164860C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.688{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-792D-6442-4406-00000000DC02}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.688{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.688{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.688{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.688{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.688{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-792D-6442-4406-00000000DC02}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.688{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-792D-6442-4406-00000000DC02}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.689{AF4EC832-792D-6442-4406-00000000DC02}5416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.161{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6653B74C897999066681A5A13E09FDC5,SHA256=71F5A22C59B0F9106C989FED5F912BB7AD70872122E46895B375B2580BE713AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.019{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-792D-6442-4306-00000000DC02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.019{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.019{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.019{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.019{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.019{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-792D-6442-4306-00000000DC02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.019{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-792D-6442-4306-00000000DC02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:17.020{AF4EC832-792D-6442-4306-00000000DC02}4840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:18.429{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB94FB64E8869E2E615E72BBFF610EB,SHA256=59D577FD5193DA068FFA22F3AD3DE4A02564D2B2F240A460784BB70CE1A64B3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.546{AF4EC832-792E-6442-4506-00000000DC02}8643340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.362{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-792E-6442-4506-00000000DC02}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.362{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.362{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.362{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.362{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.362{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-792E-6442-4506-00000000DC02}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.362{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-792E-6442-4506-00000000DC02}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:18.363{AF4EC832-792E-6442-4506-00000000DC02}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000022158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:15.530{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50416-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:19.512{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A8A5BF6AFBD609E2B0DB09EB01153B0,SHA256=8CBAD75674CC855F3732D72B7F85082DE8158457E87DC73782D73FC9EF39133D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.843{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-792F-6442-4706-00000000DC02}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.840{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.840{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.840{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.840{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.840{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-792F-6442-4706-00000000DC02}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.839{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-792F-6442-4706-00000000DC02}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.839{AF4EC832-792F-6442-4706-00000000DC02}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.348{AF4EC832-792F-6442-4606-00000000DC02}21525640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.163{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-792F-6442-4606-00000000DC02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.163{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.163{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.163{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.163{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.163{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-792F-6442-4606-00000000DC02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.163{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-792F-6442-4606-00000000DC02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.164{AF4EC832-792F-6442-4606-00000000DC02}2152C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.090{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0C48EC517B53B2CF5345929BF5CF24,SHA256=A3F5FCBC39627B4EA4940C4B3CD1B6D937A5646A31F002841EBA3709F891114E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:15.252{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65378-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:19.281{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:20.885{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-046MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:20.630{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE819A54FE851AFDE533CCE8FA3B3F90,SHA256=48013A11244EA5F342399AB31906CA50D086A5722587080943609EBCE1EEBC7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.508{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7930-6442-4806-00000000DC02}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.508{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.508{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.508{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.508{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.508{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7930-6442-4806-00000000DC02}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.508{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7930-6442-4806-00000000DC02}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.509{AF4EC832-7930-6442-4806-00000000DC02}5972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.191{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A38B0986F08BDB7CABBC9AC675918797,SHA256=EF208E124514E87F53873E67B1B15A635E8939181F5C7740A4884D9C80CF5937,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:19.991{AF4EC832-792F-6442-4706-00000000DC02}60804076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:21.885{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-047MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:21.752{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D2B3144B6734337758976EC3DC203E,SHA256=BC5466930C2FB5CB013D77BF983D15E16F3EFA01F5CFAAB0AD60CED791A8CC79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:21.246{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9EECD6DA5B9D9D88B68B94948CE422F,SHA256=B58446B05B6A416CD07D7C238DB76E3D7548480927FF9D13F6E98AF17F4793C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:18.552{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50417-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000022167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:22.884{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B117332255CFC9E660425E2851DF153C,SHA256=32F337C43E56C585D23AE21D7E01DD334FCD9E252855E94651E8753F58A7D7E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:22.367{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC61B4C1C03F9A5C2730D8805118C57,SHA256=175C59F45B147F3710F68358003690512D341589A62B9357025AAF1C3130B562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:23.969{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B52E9DAB21A2B96FDD39C8DC10A574E8,SHA256=F57C7E0C80F09B1D7B54EE2BD9EAF1EFA5BE65AC245B945BE8355ACCDAD242F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:23.395{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCED582F6726EA3337AED9E7C2F6B9CB,SHA256=374A2BBC5A816B72E1C3769590E4B09FAEF969DA66A442BAFC7481A587D09722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:24.496{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B91B78B6D06A81F5F0CA96D8330AA0,SHA256=B5A18028F7BBCA1D50A0137AC75832FFEC77ED773996348ED005EAEBC26D0CD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:21.520{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50418-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000027159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:20.273{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65379-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:25.582{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C76641C28083B998873C48EF0E115FC9,SHA256=55802209EBA77C493BF98FD223205A560AF1245B2515CD93BE1C3505E369F114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:25.070{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5750F62B427325D367D277F319B8FD,SHA256=ED5C0409832B6705FE17FEA5B2CFB5CC5021737CCCA1D5E60160529252F3050A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:26.715{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB7C85D234669EBB6911115B18DB21C3,SHA256=94F3CE58D4425E32CE06D6D386D008126DF0186F2DB8052648F4EE734ADA6C7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:26.154{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16765D622820C4D5C60D0C6C69E8275,SHA256=F6B85842E036A64548B51D53E99C4F6281EED924CA73A92C71699A17923841CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:27.785{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=738DBB6FD85B891FF71B3D9D7769D101,SHA256=E1575068058C78DEA803AC36EC28808F1FD2D30963AE9FF2CF325DE7D927429A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:27.519{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FF15CE74429E8B4176186B86EB64C0C3,SHA256=9133DD7E42456DA430DE92139DEEBFCAE9548DD398D33659BAF88A8856AA6C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:27.288{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92FB74BDBD6492D8355DE2966B29FD09,SHA256=D3492E74010EEECB51A5D2DDFB9EA3330C6B865FAA364D6E99C908CFC7FB60E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:27.331{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:28.817{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079012D37368B552D352412AC0AA08D4,SHA256=83E5077E1EE800C5FE14C84C9F2B56B13830587B6A80D4290D3036664FD52C12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:28.390{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=666550E8E56AF8074210A01A04299E86,SHA256=3954FD3F4B147CCD4E3A5146E2F5F598EC3059B491699B3C3A3D7C9D0E25256F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:29.491{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AD090BF3CA5D7F880677ED0FD3E9B23,SHA256=496B42F7D829768B976275162EF690647B5D2B653D31E017D641021F2EB177CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:29.833{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7276772A4D3BAF4DC91DF0CBE7519578,SHA256=C57D652128BE3EF05707923CB81659265C6414E79F14DBA6A3CE2A8F3A1880F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:25.447{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65380-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000022175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:27.392{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50419-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:30.576{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A785A673B5AE7DCCD876D054F29BF1,SHA256=A714C638DEA014C9A1C17A150222B4B48639DA828A9C25274EAAFB5490FC6DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:30.852{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0239D855FF2EEACE536A742B18318FA1,SHA256=9C13B7A21062A62A25B96CD500625514F502112F2076959913EAA02365808797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:30.202{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F431996CFE52AA040CA1E1C813E161CD,SHA256=48B385A9177AA8EA6C83A185F670AAFAC51DBF057DC82BAD563FC1B1D3F1F13B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:31.663{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=645E4E289E97D7324E6F2F8F1E3789A3,SHA256=02B1F95FF7C9B729D206C0F6C2BADA1EC1CE3C658EAAE576451273CC84D04C71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:31.953{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7CF90AC6B9D99D841CFC3F341A6871,SHA256=4AD791EC90004D0A239D0074FD18B0D30AF276DDC60FE9D9A989B131BE496511,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:26.182{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65381-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:32.780{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F67FB3FD7A411618BE2172AA897E7B,SHA256=646A9FA78640BB84CCD2D0E78FA89F583EBCEAA392374329F85DF777D5E36862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:33.881{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03677044A0FD0AC2C3E1B7DAA9270D1E,SHA256=448EDE68ED794F3C4B2D3081D5717A25EC6795266E6942CBB25E6B9967812C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:33.021{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA29514E473C058C466B664B5DD4C1F,SHA256=DAFE24D5CD6CBB87576BF22575ABE3EFDFD8E211B916C7F385A17EAE6379663B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:34.997{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE7ACFD987924C9D1EC066760315DC51,SHA256=F98EB321E356351F74B5817510B919ED4A5CB8AE63A62964D51FDCCDB5B9CD1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:34.037{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4543F8041DCFF3074DF245AD83D229E5,SHA256=5240BCD056BD6FEDE5AE03AA01EA7858D23066F4DD0039C27F753FC0E904439F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:33.368{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50420-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000027175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:31.309{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65382-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:35.056{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D53AB8B394CB9C9FFC48E76A38569D,SHA256=290AF76F5B71ABC44CF23E768EE25A5B66781D5675BD7FFA795A5FD19E5BCC0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:36.114{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBD71E47621FE6196BD215C778EBE07F,SHA256=AEB49DB4820650026792A3FF727BF2250E139C868F3EECE2606D38F3CF1264FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:36.640{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=061DFA031CFB20C4D631FDD1AB9A2B7E,SHA256=4E1C8CF61272F18DFC953EFDE16CE74EE7933021238F8EE35C6157168026B56C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:36.208{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB881D33B20D0132F0D1A54C954612EF,SHA256=EB7CE0372FD4028ED472E1094CAEA6956D78B9F77209A01910CA590E0297E8F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:37.148{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE4429328DF505A80464B6327F3B0C3,SHA256=88CD9FD5C561DE8EF298191AC68DBB425D48E682288128C527BE81AE677F16BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:37.225{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769C1449DEB42C862B481C5B24D448CB,SHA256=FF5392EB002AE67220700078111AB56F63E9230949186A9830D0CF387D89C437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:38.200{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E0CA5BD35E0C95E13AD8D02D3DC294,SHA256=1980EC437F8CB76EBEA9A464B97BB8A566B2FC982FFB6788B2EA00D4B575952F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:38.359{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFE923DEDDAC2F62B4936EBCFCD76CCA,SHA256=45FC3976B3C8FBB344972871C977EDC002B11B0F6D02610AFDFFF40D30A00C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:39.268{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978D19241AE4E8B2FE75F742AE778249,SHA256=2AFFECD7541E870A8C86FABA1C9F7B882783EB9416F08CEFFA2EDE6AE097949B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:39.413{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F840632F96009FADB89269C108F3F941,SHA256=CB2F648DAACA33C209C1BE08EBCFBEFDFFAC9A232C6B927B813F84B945D29319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:40.351{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD970280E540C359C007065989DC8C07,SHA256=3BA78DB3559C7FF894D1B8B95D06F628DD803C52D8663433840E88CB52EEA39A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:40.563{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3791E993658AADE4A1241DFFB009D5A,SHA256=E22E732B10B4578C5890009003AC09DFD4A99439A50CF53A5E3B23C11BCE3756,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:36.314{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65383-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:41.670{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\6chvkpgv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=6327D69923DA8EF02968B51286F46737,SHA256=870B68F2D288807E588070BC34BB21DF4F84761F529A9330220B3DA0DCEB6DC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:38.455{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50421-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:41.370{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F7DD7B06F66343D8E79C44E22310D1,SHA256=28A64FF0BB1A2878930A030F1F115D08C488A534839290FD88B66316FB987985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:41.700{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46CF28EE1F07FD6B7A1FB50952ED0879,SHA256=770785511B396E0FA0BEC8DB9C564D9DCC3D02B506E2A59839421E435312D80F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:42.454{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB937C33676452F2C08A5E62F1343E2,SHA256=390B98C141067961B07B748042C23B9950521A244CF79DCFB61738C8124110B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:42.748{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA712438447C18451B3709011BE7E52F,SHA256=385E4DFA12D8922553A38A4CD59F7DD7E72A2385324A6F377070F1F964042932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:43.537{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F764E4E4460C8F4CF0AF16456793E771,SHA256=13A532FAD14246731F219E1CF044DDFE47C353A2DCF5AE9A750215B00E81BF06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:43.790{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C4D009CE6991F84F4ED5526AE5EA71,SHA256=FB35992686577075051810376940CB8CD9FF8C42A4B89D5E67609BC1434D99D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:44.606{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7A09AA6CC18CC4FA275427FFDBF44D,SHA256=8EA4061CCA8EDE7B0C33C455164962C8E7EA181E472B2C2B03AC522EB6B335F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:44.803{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D62CF1DF43712DBDA8C756994F14B5F,SHA256=60ECCC03A7E33C91C46D90B467315D8B15D00E9EF92C41F53F8FA925949FFE71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:45.676{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369594E84F6FBB988C6025D2BF437683,SHA256=F80CED72DB75F86869B31C937A54E55A6AC58C7E4BD4EA921C913489947F8490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:45.869{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E11C2C53416BEF3C1062097F1B7A35,SHA256=D3F7EC446E1694BF2AE3D32062ABD675C152205F887B7E05C12B1F0D3E2F0821,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:46.894{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E3682B9F4FE1ACFBF5128904ECAB34,SHA256=7E5A68B30A23201B16FD0DC9F36A143D4D2BD25C4F3A58ABF5876A34BB7D650B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:46.695{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3862073732D099A70965B89579E258,SHA256=6D9E7038089EB7553E7E375575A606C1FECC33C2794D1C0E07EC5AD7FFB6E156,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:42.247{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65384-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:47.938{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48DC8A3764D7C79927EEB4F42EEF5D54,SHA256=FD8A233BFFFF7E3A481AA23AD86A0532B88C9318FBBA2C3F586A7A933B384BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:47.780{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B93ED925ECF683A8E009942504898B65,SHA256=8271D2DD1DB3EB219294EFDBE83A165266FBDF6514C91D9564E829DDE9DACF44,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:44.393{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50422-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:47.494{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CFA1C22783F25EFF97679DA01864443E,SHA256=0D707753381709FC19A6D7F635092811A97361B57C843E727F38285D772AE331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:48.997{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=559697A6DE31F772C3C3BAD6C35403C5,SHA256=378A33B7539412FF8A75767EF9372C18E21CB58EE9DC9780B6FBEF62C49F3512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:48.762{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B18C03FFB831A7F9ECE20C491BA29F5,SHA256=729BDE8B230B92581DBD090714F7114771C425AC11B4C03C2E6B3DC5C5A68D7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:49.862{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF8F1895827AB0831B50F913AD7B6BB9,SHA256=3432F8168EC91A7AEDC5AE7CEC81DC1E5DDF0530C9CC1A7562A8265151895772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:50.983{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD268ED52C6FA72AEF920BF698C21C01,SHA256=994E8D0777D7B11FB947DB29C826D3550FB425EFDB19738AC30F13F59C996E62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:50.056{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5A5248432FF98E0FD546D4EBCD9A09E,SHA256=B094D15395CD87C379893C4B583C8BF3CC805C81AAEB645EE07875DBB743B1AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:48.185{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65385-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:51.074{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D98177EE2A4E3882A593C63C53DC299,SHA256=A709EC7CA0EFB2FCF98339C1DB3A967D6C6E03F108E8B5F6E2B13613B294CC1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:49.448{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50423-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:52.100{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AB12B350EDC19E687C9A9C074F7A44,SHA256=57D574E853F0E7D656A35EFC2865877B3DAA53E6CF508CD62FA19143487E7DDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:52.127{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F951E22F553FE9D3E7E0898C3FA3F9FF,SHA256=626F18A5883CB78B6242EA4EE6A7199D635579F45FD529067918A969A756A240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:53.217{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C0BE70677C01B9F70F732EF40EED0F,SHA256=B6E08258F66E1449BCD9D6A4E275669EBB054F1FFA83584049B7F7A9096089FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:53.243{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4209A3E05FD13CEBEF2A8123E756282D,SHA256=4318E6CEE12123CDA173395B79FD57290D5517E0C1AC218F8D82328DE4390E02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:54.268{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B269A091BFB2481000C36A16D8DBE4,SHA256=A6CBE753DD51E16128F76437AB03BA50A16B8BC54EE4589E62A501EB0A0354D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:54.361{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FCBA0127C68EC8E53F596D6474E9EFF,SHA256=79670FA5693A08C272B54AE4C04D21987975B1C44BAFFBE7DA927C38DBB90482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:55.350{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF31B3EB8673B853CB88FA14345D098,SHA256=EE6F6593CBA3DB3A4D608026DB979A64BD5F1AAFBF01D8211D9E5BDD94EFAA72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:55.446{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=154D3D0990201C04300D6D11F4DB90FB,SHA256=878ACE907B5C03492BEC4FFD67C1761825CE7B138BC72A4C7632A72BD9CEDCA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:54.505{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50424-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000022214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:56.388{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7954-6442-F202-00000000DD02}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:56.388{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:56.388{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:56.388{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:56.386{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:56.386{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7954-6442-F202-00000000DD02}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000022208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:56.386{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8056616C09544F4C51CFB0A3D32EBEEE,SHA256=9FB4C4FAF771A4D1576E8D32139FF4EA6FB456C8C7B60DF7207E6CCC61F6309E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:56.386{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7954-6442-F202-00000000DD02}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:56.387{223CB5FF-7954-6442-F202-00000000DD02}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:56.478{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CA76079C86957110A7992608FF87CC,SHA256=BE66EE2E11C70FE8ED27A4F80B180455EB8A078FE50CFB3039B3A66C2C69BD98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.875{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7955-6442-F402-00000000DD02}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.874{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.874{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.874{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.874{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.873{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7955-6442-F402-00000000DD02}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.873{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7955-6442-F402-00000000DD02}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.873{223CB5FF-7955-6442-F402-00000000DD02}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.675{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=363F932EFF56EE89DBD1DAD4C5707041,SHA256=D1F199F37804B0D838B2D8D435E2DCBBF742EBC6936CB2617B24690218005801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.408{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4E1DD279E813412501BDFEF51BAF6F,SHA256=98DB5F02BBAF7A6085FFD7E82091936FB497D1B3F64C8153529876F11215A1C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.408{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA15123F572160CE98E1341E086CAF0D,SHA256=4BC453BD9F665BD770E1058F7CB1F20BBFD4F5701E8F416796FDE80FFD5FE77E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:57.629{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76320F658837EEA88486FCEA6D271B2D,SHA256=B00BC4098C3E655BBF4CD593AA0FD4F47DE416A45E01586B84A6CB4B1856DA2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.375{223CB5FF-7955-6442-F302-00000000DD02}61606208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.208{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7955-6442-F302-00000000DD02}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.208{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.208{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.208{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.208{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.208{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7955-6442-F302-00000000DD02}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.208{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7955-6442-F302-00000000DD02}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:57.209{223CB5FF-7955-6442-F302-00000000DD02}6160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000027201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:53.358{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65386-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000022245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:58.856{223CB5FF-7956-6442-F502-00000000DD02}67564804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:58.694{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7956-6442-F502-00000000DD02}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:58.691{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:58.691{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:58.691{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:58.691{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7956-6442-F502-00000000DD02}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:58.691{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:58.691{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7956-6442-F502-00000000DD02}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:58.692{223CB5FF-7956-6442-F502-00000000DD02}6756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:58.540{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBDD98A98726760944BC95E7D887282,SHA256=AECF78ADAC06B648588C927A716A897560C88FBD364BABD491AE9FA7D1A3EB13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:58.677{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8049FB5EC75A7A8D3B97E16B7712BF96,SHA256=5AA81226E1079ABEAD93BA530E7C0A95AC915DCE9A7A99421572E6723013830A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:59.610{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97FE04AD19E82292012C5E7FB5828D95,SHA256=C6E75F050D5741DB94635E89F7A34D7FE8FC8A3950206AABBCD6E88D2E777B50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:59.557{223CB5FF-7957-6442-F602-00000000DD02}65206376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:59.743{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6748DDC23924B5B517795DED37982D81,SHA256=E74E5D5BAC88D7683E2133FD92D1F2415C0B1DE3211CD1CC2DC0B88CFB6DA658,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:59.376{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7957-6442-F602-00000000DD02}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:59.374{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:59.374{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:59.374{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:59.374{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:59.373{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7957-6442-F602-00000000DD02}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:59.373{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7957-6442-F602-00000000DD02}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:53:59.373{223CB5FF-7957-6442-F602-00000000DD02}6520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:59.459{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E742318729507D0C1C7833C55278AC54,SHA256=8F8F2ECD19AF50E93089E88DDCB6DD9AED12EFDB2D82DD921F27CE3C4E24A1A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:00.776{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05848106AE5FD7036546EFADD48ED6F1,SHA256=93E19C56344A5D3D18A21322A9DC8A848216F4D3A7004362D6E5C0083A40FA62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:00.927{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7958-6442-F702-00000000DD02}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:00.927{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:00.927{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:00.927{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:00.927{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:00.927{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7958-6442-F702-00000000DD02}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:00.927{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7958-6442-F702-00000000DD02}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:00.927{223CB5FF-7958-6442-F702-00000000DD02}6572C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:00.611{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F074690ACB9EAE236D67F6DDB54B71,SHA256=0EE7BF4EA9252C2A2A4E47B3564C821416D786125FDC900DA45DF3022D3357C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:56.488{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local65387-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:56.487{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local65387-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000022274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:01.727{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D501FEEB746D66350D6E1ECFE7325E,SHA256=1DFF20958ECAF6E5B06819A70721B313D85CC8FDA0BBC48ADB692629588B95FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:01.926{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1D2560A18BC3436E2575CCD52AF485,SHA256=711B5CB5583499A7E08E7070CBCF3F3DFA8A5062DD93A1C5504F9663A8BFCC36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:01.612{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7959-6442-F802-00000000DD02}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:01.612{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:01.612{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:01.612{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:01.612{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:01.612{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7959-6442-F802-00000000DD02}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:01.612{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7959-6442-F802-00000000DD02}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:01.612{223CB5FF-7959-6442-F802-00000000DD02}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:01.143{223CB5FF-7958-6442-F702-00000000DD02}65723900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000022276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:00.514{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50425-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:02.813{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02233F5B097B131849747F72346ED875,SHA256=AD15ACEAD145B6A2D7D9F7D5BC59C6EF28C8C8ABC36073DBB26AEB361FAC818D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:02.974{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2B95AD32D1C9E04769AB534B005851F,SHA256=E18CF3218EB88E6EE4573ECA70965CB4C87BA6A8106B4D390315ACC01B94DB6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:03.900{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFACD36B1C62C544B3649728D4F2AB31,SHA256=11761FE460D5AB0B9EFE955AEF5551415158B0B178C68B5202A173F5A4177AEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:53:59.228{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65388-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:04.981{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4828E4A57DBA3F8D7262F0B1F0B05C8,SHA256=E29D00A7F4B34929875F6924AE419FAE140A8C600367249A9BF14E90E6CDA47C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:04.041{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD9494BF22CB36A0AB271C8C3EBB67E,SHA256=764564F7C3C762A4182DA51C52BE437EA3201B4E0BB636C6A07268BA3C7268A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:05.156{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96DE7B0AB545C5324B1EBF9ED0F11B5,SHA256=1B1239D0B4E109E8E9AFF55F9A49C3DEAED2F09904D245561A26FDE978C74953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:06.049{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=271E0935754D2E436947BE26A05291E7,SHA256=F3CF833F5EE92E9BB1B703B12A61A7B4A1C3F752403B2FBD3133F4FB1D7B0047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:06.274{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C73DFD5E9D0B7D3366D35C16EA48B1,SHA256=D3D67115354E21B76E2F8FE211F9A3D02A975034A7ECB2288ED72841A479AFC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:07.883{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=9DAC248F1CA6A5905037559F90AC586E,SHA256=DFEFD07EB9548273059FC065AC5D6423CABA2F91B8D6EEC8ECA32290D526E1B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:07.150{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E740BB03B23FF7B1EBE666753B5DDF,SHA256=A6D85DBB9715C78A4D61DA946FA5000F9F613619CE04CDB8F002DC5FB0084DB8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:04.236{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65389-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:07.339{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E051F20FECD45C692575F7601B921089,SHA256=90FA95E4B17ACA92F7E772D711FA92717B0D5566CB4DF75D7F1B45DA66672943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:08.236{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F0749E62ECB9261F2A7D630D25C87A9,SHA256=317E9F7AC3045CD07BD41DA56B84415B682A7B6C9C481C16D79120A79F6535C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:08.373{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19CF1842DB1578884C1F7237C55BF93B,SHA256=E9F54E52226525776AF2753DB99A144D30393FA125DD62043D0BF4E10308FD62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:09.352{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73359382AF5DAD263F6D4DA2728DBCE2,SHA256=A9F81EAC97002A05F8BD7598E835C6D8171AED760735B2B805DB430815DE3849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:09.438{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C11EC76668716848AF0584CF141260CC,SHA256=E37912C4AD6E13D8E0F6AF089663DA80FD09CAAB7CA431396F2B5FC4440D32CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:06.422{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50426-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:10.422{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0BD7699DF1283E274E27726A6B31A6,SHA256=7B77D6C890CC9A1C8B53780CA24F2FA8E03E764DCD7C020F9BAFCC2DE891F035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:10.496{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D78F84DF37163463496D6203605290CF,SHA256=21BC0312DBB90A74E429D37E9B9993E533C9E7124F7CB3C921C8BE00F0B0D550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:11.524{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6378F727A1C0F705F84E5570FA281D,SHA256=F273111CFB3AD96272723A8B8D79ECD11C9D2BE255D4096F7F2830F3F00CCFDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:11.622{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1A73C28F12D43BCCCD793A5870A5A7,SHA256=539404A6856DD4CD4F84C959D6DDBD86C54295FE7C8865B37C013E0007C8D680,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:12.625{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54560542A77B20591D14B327EB2EBAB2,SHA256=6F0F9FC0E3A67C9817780D2C1CB1FA58550580D09974C2A45C670FDC0FAF79E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:12.670{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0004D876FF5FA6022534C0E3F305CE67,SHA256=96298CCE1E12622B62BBAA8B269CD261FE20EAB2FBE2A586E6EC6F64D06BA065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:13.741{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=276B07EC477E3B3A457EBDC2A2E013A2,SHA256=1F0979BB475B9605363DA3B736826B0C7BBDFBF4FD5A660DA1BCC7EAC5251B79,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:10.248{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65390-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:13.805{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF61D959244C941BF0791C3E4A1A7126,SHA256=A1D1B71B5BDA933F63CB19092AF9B6E5EEF3F06831FA977EB1D5C1EB5FDEC835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:13.223{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-057MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:14.842{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE1367FCFE4E08CF5178956E11B329B7,SHA256=5F05A7401D54D58466098214449CB1F39180C7C868F72E8EF7C612C32D1EEACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:14.836{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2C874F92703B654040079E77295AEE,SHA256=659050A91FEB5A0C9E8EC3E53175C090F60765F1FED92527C2605E90BE05575F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:14.237{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-058MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:15.892{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42CD6AE23364ED4594090578CA08B3D,SHA256=8A516CAD145CD87078C3C9154BC4B5C7081DAB4E70E6FD4598022CC12C09F2E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:15.893{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87CAAF2793AA8E730EFD59D81237798,SHA256=B828C062C15D9D03AE5213D522CBE7FF39179A8566E17B69F1442FD8F31D524E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:12.427{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50427-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000027234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:15.204{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7967-6442-4906-00000000DC02}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:15.204{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:15.204{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:15.204{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:15.204{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:15.204{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7967-6442-4906-00000000DC02}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:15.204{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7967-6442-4906-00000000DC02}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:15.205{AF4EC832-7967-6442-4906-00000000DC02}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:16.974{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EFC452D09EE1FF8A7D135ED3D080AEF,SHA256=B0A619C2C0179ADCED21B758D501F13DE324D111D6CE39BD55AD0F61D5117BD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:16.968{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E34709DEBBAF1D0E39366D396F48B96,SHA256=12ACEDB34F959C398119CEFB9A9DD3A095EC4857DFE2B98A0344EF302B750D5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:16.235{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAEF41ED618A3D6E819FF297D106EF5C,SHA256=EA4E8C1D7FCFCC68F3289E7256ECDBC0D778801DBB76417181663E8C78C331A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.734{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5F855C8E19896344FDAE53D142F8C75F,SHA256=BA3A700D6623D60D44C5B8B328792B58D8B40D7A13D5739B830DD17731B9609D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.718{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7969-6442-4B06-00000000DC02}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.718{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.718{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.718{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.718{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.718{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7969-6442-4B06-00000000DC02}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.718{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7969-6442-4B06-00000000DC02}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.719{AF4EC832-7969-6442-4B06-00000000DC02}4628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.234{AF4EC832-7969-6442-4A06-00000000DC02}62085760C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.034{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7969-6442-4A06-00000000DC02}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.034{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.034{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.034{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.034{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.034{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7969-6442-4A06-00000000DC02}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.034{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7969-6442-4A06-00000000DC02}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:17.035{AF4EC832-7969-6442-4A06-00000000DC02}6208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:18.091{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E065B4CDF2A46546429E58B97CF140FB,SHA256=00858C10C4381AA09F243555B06DB31440C132525DEFA3A848F6AEA49E2C1A3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:18.450{AF4EC832-796A-6442-4C06-00000000DC02}29845292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:18.219{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-796A-6442-4C06-00000000DC02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:18.219{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:18.219{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:18.219{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:18.219{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:18.219{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-796A-6442-4C06-00000000DC02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:18.219{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-796A-6442-4C06-00000000DC02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:18.220{AF4EC832-796A-6442-4C06-00000000DC02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:18.019{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8E65D7C1D3A6FBB1A54DA7233AE732,SHA256=5EF72028688A6CBAF34A68009BEA28689C401127EDA91346058DAB9ED151CB79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:19.310{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:19.210{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=719A53426EC5C9596352E5DE23ACEA1B,SHA256=535CA76FC2CD49D4A382A2BFD2B9C73F0FDC8D8776191A32304E93AAECD16130,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:16.275{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65391-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000027283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.870{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-796B-6442-4E06-00000000DC02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.867{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.867{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.867{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.865{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.865{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-796B-6442-4E06-00000000DC02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.865{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-796B-6442-4E06-00000000DC02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.866{AF4EC832-796B-6442-4E06-00000000DC02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.374{AF4EC832-796B-6442-4D06-00000000DC02}62766168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.192{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-796B-6442-4D06-00000000DC02}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.192{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.192{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.192{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.192{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.192{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-796B-6442-4D06-00000000DC02}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.192{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-796B-6442-4D06-00000000DC02}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.193{AF4EC832-796B-6442-4D06-00000000DC02}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:19.070{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C166E4AD9DEBDF7FE9177CF7BC17D09,SHA256=0E0738770FE5CC8BD9EC7E13FE1002E7DE95A10F959F5128F7DB2EBB055CBECC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:20.256{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D7D8AF9703BA16DC4CC89248396B467,SHA256=81940316294CCB3DE7B5FE8CE876802994CFC24DF082A7B364BC7DB54948B21B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:20.492{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-796C-6442-4F06-00000000DC02}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:20.492{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:20.492{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:20.492{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:20.492{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-796C-6442-4F06-00000000DC02}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:20.492{AF4EC832-6B62-6442-0C00-00000000DC02}840684C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:20.492{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-796C-6442-4F06-00000000DC02}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:20.494{AF4EC832-796C-6442-4F06-00000000DC02}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:20.118{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847FBFAD2B7ACA067262FC60202C5FAC,SHA256=B1202D7640AF0DE6192450DBF5BF5D53A823852D8CC015C10501F3263829E478,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:20.069{AF4EC832-796B-6442-4E06-00000000DC02}5045684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:21.389{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B07AFBAB5E96D82FE6C0E169ACC9E9F,SHA256=B0182DB95F616757757F4DFFF61409EAB8791D00741574F425994DBDCBAB62BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:21.134{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F804CB9D1C3980CE85131F4BA815E968,SHA256=0FFA7045437460F2F88008A44C33BF31881E4296F204251896BB8FE2F8650FEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:18.575{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50429-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000022297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:18.375{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50428-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:22.409{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-047MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:22.408{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41AB6ECCCF78C1374600D0C5A207D022,SHA256=DB8D44C53A255685703C9DF61705A436D1D2C16F38308AB950F17C1C15F025FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:22.250{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC4CDC0F504A4905DAF929950E73B03,SHA256=CC1C4A3DA41B8E15A83A7B5D2FF2C2E4A57E42D2FA96DEC8463BCB8EBA6F1808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:23.638{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51FB4A8D8717E1D862E77E7105BEE851,SHA256=4156F8602170803D957A47D867B1C45DAFC121F6ECA6886EF308284079C97963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:23.366{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88CD0610EF7D8FAF142443EC2F852162,SHA256=AA9D944CCF169F686FA01E22DF94D87892D405E2B5CA11401B2DB3C5FB902CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:23.408{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-048MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:24.769{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A61ED4FB9780A73D8B315035E6E0677,SHA256=74669FCEEE0A7D61CF9C522B58AFA4679B8CEB4637B4CD5A1C583E572D87F9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:24.417{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D967796457746954EC44B44DA64DF0,SHA256=E39FB1DFD5E5B567B9CCBA77E73E7591E7675E974C6286647585E66007D36F08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:25.905{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E215031D09FDDAA40683A07A04F084,SHA256=510990955B4174CEB3E19AA963F4358CD368A53BBF848B60F4BD77B165A7861D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:25.532{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A369963B151E3AF97A531551678E908,SHA256=CBF57A3E650B40942A00E502A600192D4BF4E3492C4BD5CF59459C5ED847CF1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:21.374{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65392-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:26.565{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=971BA52F11E7C737CC48E680250234A7,SHA256=24B074036EB67637B61E34085C542639D79F46125A0F8B86B3676F759E4DCA64,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:24.340{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50430-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000027301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:26.290{AF4EC832-6B63-6442-0D00-00000000DC02}8964028C:\Windows\system32\svchost.exe{AF4EC832-7353-6442-7A05-00000000DC02}4404C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:27.631{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5BABE9B646E74267E6F52C1233A2A5,SHA256=E7BC80D3B887CD6510B7C25610AA9549BCBDE703C49497E5EB852C8B7EAB50A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:27.867{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BF4125ADB1F76EAAF5D5402956097A5F,SHA256=518A21FC539E790320025DA7CB11461F84B3BE4C862A7ACE08E0D994830B614C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:27.052{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9893EBD4ECA1D75A1EBC6CEBC18D55D,SHA256=56623BED1326C517299B4A8C23784857C9E1AA5A739571784C40F880DC7D8913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:27.347{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:28.764{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC5C60025100E215A00F3C409B8F73B6,SHA256=896FCFDADB3A89658D402EF0A84D3B81D65F9E0C9281832C7638562C0F540BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:28.185{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=123CD6C0FE6827AEC02D7CA316875AF1,SHA256=A9B72737DE0D86B7B627FFD3491EC465001C83CAE7C9C5167F7745CBA459D377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:29.319{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CB767B89836D8528C0E4BC4103DA7E,SHA256=6E49E3855C7E93F20F35C7046B000905B3AA4D289A9249DC1C2D7E832D8329CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.771{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2034538232CF45BE6426F6AA8CBBEC05,SHA256=B9072DD4B31AAA184B34D7F66F99E6B1BDEB7C5E06DEAA64B3BDD36FD728273D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000027318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000027317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000027316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\AddressTypeDWORD (0x00000000) 13241300x800000000000000027315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\LeaseTerminatesTimeDWORD (0x64428785) 13241300x800000000000000027314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\T2DWORD (0x644285c3) 13241300x800000000000000027313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\T1DWORD (0x6442807d) 13241300x800000000000000027312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\LeaseObtainedTimeDWORD (0x64427975) 13241300x800000000000000027311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\LeaseDWORD (0x00000e10) 13241300x800000000000000027310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\DhcpServer10.0.1.1 13241300x800000000000000027309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\DhcpSubnetMask255.255.255.0 13241300x800000000000000027308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\DhcpIPAddress10.0.1.14 13241300x800000000000000027307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:29.189{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4affbb38-30ba-4e64-8572-e9488c6f6bb1}\DhcpInterfaceOptionsBinary Data 354300x800000000000000027306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:25.471{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65393-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000022311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:30.450{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C0494D1BFE6AB0550148EC587E0816B,SHA256=1DDF8252D67879FEA7119561952953A840A976E2D9BEACCCA2BB6CAA5D1FC9AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:30.832{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34FAD388C5670A9CCF90B1553A574851,SHA256=0010C107E0CA800A866E176468E1D3AF10D0668D8141CC01A28ABD311B4AEF0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:30.217{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5348F8D1CBD0E5CE9BD7A925D756B46B,SHA256=1902DCCC22C10D886CA42997B71C7FECAE5BEC61F8C0AE399E2C850D01C03318,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:30.201{AF4EC832-6B60-6442-0B00-00000000DC02}628756C:\Windows\system32\lsass.exe{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:30.201{AF4EC832-6B60-6442-0B00-00000000DC02}628756C:\Windows\system32\lsass.exe{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:30.132{AF4EC832-6B63-6442-1600-00000000DC02}13362148C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:30.132{AF4EC832-6B63-6442-1600-00000000DC02}13362148C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:31.592{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F76C5BFD6ECAAEB200F37607D00BC7,SHA256=20AF5BA2B2EE1FA2AFCA6D2B4E70E11AD0139DD40A247EF40B3C4CB77BC93688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:31.873{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CECE4FDA0746B7A52A0DD8E23EF55A98,SHA256=266C74B08FFF6F88D603C1AD5B92C22F656DE1732AAEA9BDFC06464BB2B64BE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:29.452{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50431-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000027341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:27.313{AF4EC832-6B63-6442-1300-00000000DC02}776C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.us-east-2.compute.internal67bootps 354300x800000000000000027340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:27.171{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65394-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x800000000000000027339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\RegisteredSinceBootDWORD (0x00000001) 13241300x800000000000000027338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\StaleAdapterDWORD (0x00000000) 13241300x800000000000000027337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\CompartmentIdDWORD (0x00000001) 13241300x800000000000000027336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\FlagsDWORD (0x00000002) 13241300x800000000000000027335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\TtlDWORD (0x000004b0) 13241300x800000000000000027334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\SentPriUpdateToIpBinary Data 13241300x800000000000000027333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\SentUpdateToIpBinary Data 13241300x800000000000000027332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\DnsServersBinary Data 13241300x800000000000000027331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\HostAddrsBinary Data 13241300x800000000000000027330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\PrimaryDomainNameattackrange.local 13241300x800000000000000027329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\AdapterDomainName(Empty) 13241300x800000000000000027328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.231{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\Hostnamewin-dc-ctus-attack-range-616 10341000x800000000000000027327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:31.216{AF4EC832-6B60-6442-0B00-00000000DC02}628756C:\Windows\system32\lsass.exe{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97952|C:\Windows\system32\kerberos.DLL+79c68|C:\Windows\system32\kerberos.DLL+1458f|C:\Windows\system32\lsasrv.dll+2fb61|C:\Windows\system32\lsasrv.dll+2da46|C:\Windows\system32\lsasrv.dll+32e35|C:\Windows\system32\lsasrv.dll+30cbb|C:\Windows\system32\lsasrv.dll+2fb61|C:\Windows\system32\lsasrv.dll+17bcd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e 13241300x800000000000000027326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:54:31.216{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{4AFFBB38-30BA-4E64-8572-E9488C6F6BB1}\RegisteredSinceBootDWORD (0x00000001) 23542300x800000000000000022314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:32.709{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13498A08063443A91F4F005A37BD2474,SHA256=FDFA45758D7CC8F44D0775EAA7691DA74492DE7E9676C4F01B587937CDD0A46B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:32.915{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A674CB1843FDDE64473543FD6368F70E,SHA256=518DDAF3EFB715C62AB13A3EB488C6BACE29A5D3E117CA3C4F11D5278753CAD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:32.566{AF4EC832-6B60-6442-0B00-00000000DC02}628756C:\Windows\system32\lsass.exe{AF4EC832-6B5D-6442-0100-00000000DC02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97952|C:\Windows\system32\kerberos.DLL+79c68|C:\Windows\system32\kerberos.DLL+1458f|C:\Windows\system32\lsasrv.dll+2fb61|C:\Windows\system32\lsasrv.dll+2da46|C:\Windows\system32\lsasrv.dll+332d9|C:\Windows\system32\lsasrv.dll+30c27|C:\Windows\system32\lsasrv.dll+2fb61|C:\Windows\system32\lsasrv.dll+17bcd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e 23542300x800000000000000027352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:32.289{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17BC4E9CFF3CA5EEC37DD9279197D44E,SHA256=09098EFD87878BF07C4F805ED0BBC7A6E6364DD8EBBC0AB8AF41F3B16F20F5F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.355{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local64928- 354300x800000000000000027350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.348{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51635-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.348{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51635-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.347{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local56486- 354300x800000000000000027347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.346{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51634-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domain 354300x800000000000000027346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.345{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51634-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domain 354300x800000000000000027345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.344{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65487- 354300x800000000000000027344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.343{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local65487-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domain 354300x800000000000000027343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.343{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53137- 23542300x800000000000000022315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:33.808{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BCA9A08F7EE8667F4675F17AE444136,SHA256=41F3A7A9AB768E161FDA0E8B708979137B52415C3ACA774797FBB43671A839D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:33.947{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=814B1348460CA26F398F482A508A8422,SHA256=5747AD6EB78884B2D36FDCC208B972AA0F1A05E22BEC0ED4C9DC6B2EC37E2827,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.359{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local58233- 354300x800000000000000027360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.358{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51483-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domain 354300x800000000000000027359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.358{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51483- 354300x800000000000000027358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.358{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:f860:867e:9ac:ffff-51483-truea00:10e:0:0:0:0:0:0win-dc-ctus-attack-range-616.attackrange.local53domain 354300x800000000000000027357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.356{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local49425- 354300x800000000000000027356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.356{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local58862- 354300x800000000000000027355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:29.356{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local58862-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domain 23542300x800000000000000022316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:34.940{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E681EA46AEB3B94CAD8833113A21F40,SHA256=34E8ABE5481A60075E1C336D79940874A3D8F4E514FB2058EAD178F0114B718F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:34.118{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000027364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:30.687{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51636-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local445microsoft-ds 354300x800000000000000027363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:30.687{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51636-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local445microsoft-ds 23542300x800000000000000027396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:35.233{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F8544AA9EB1841C539595F70DF05D9,SHA256=43C8CED00444406AA4AF217B95826A43CDAFB2CB99BAE548AC4A51754C17E9CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:34.542{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50432-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:36.055{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A46C68787BF31C0A2F5807D7C36FDE,SHA256=BB5EDD27BD8F23E626D70B456BCB576D76D2588865D1AAEEC78C374CB86F7F28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:36.367{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C8AED1ACB91079131FFC3933C4E002,SHA256=83B74E2F491E271A72BCAB4EA71A2F096C245F61B0004B88FA7387C3D9A9C4E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:32.171{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51637-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:37.088{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9A9EA14AA3A1ECA768C11178453D20,SHA256=0BC4DF9FBDC61A4ECE0B76F8C3F7DB4AF6EC9475E85F7EC2BAD96C16A2BE774C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:37.433{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D65FA29E8A217F944596A9E6AC539FA0,SHA256=CE5089658DF044D9E612C26C86FBE7C30A012281CD6D973D7A30E69A6E44A439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:38.107{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C8503B512BB500978999B11FE39CCFA,SHA256=9DCF9630864099EFFF7DFD1F6DF10B1F7A9A9A114E2A969C9FF0C19630F35C96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:38.518{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A1F6B0BA65CEBE23C3F78EE8CA23507,SHA256=2BB0D415758283164DEFAE3CC5EBBE503BF50B29AE1496200A86ECED875F6AF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:39.269{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4AA554952A97070E157E59F1C516488,SHA256=20FE472C57CC2BAC07C3F0531E372F0AF510B18D1B8AED2165A01E7129320CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:39.548{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89AE2B08C9103B3C18BF14472DED5321,SHA256=F952F2EC096B78BC9C08D16672AB28BADDB17F2ABAC00ABD885140FD2E317874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:40.369{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FD72BF23096B6C70C8E34C774EA76DC,SHA256=5B7DA49460557D1CCB8FC18A738DD607B782AFE309C6D4587C6C216B41878AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:40.590{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD3A2B1C2A8016D1671562C5C9CE62A,SHA256=A1515D354C3F94875D6391636B79944F88A216B0A239F542C0049515FC6313D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:41.487{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A445A5EE304D539A68BF7B3EA53FFC,SHA256=110E44349635A699E965B29393ABC48B2B6DFD318321BE3A0EC6CD8224798A29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:41.632{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F546B3A3644DEBDF19495A2C0DC41F1C,SHA256=26C0044D5710A5BCFA08D15CF7A8D41A5BE4CD3801E5631F2B17881897D7C385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:42.586{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDEED0E71EEF1D29E18E91531C2F6CE,SHA256=57DDC243BE1114DA8F12FBFA314ED351F24497945CA0E12EAD73D99F87DEA46C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:40.475{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50433-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:42.665{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE946EB83C6F2E02097AF5D6C3A737B,SHA256=5EE536F23A8E4014B47E1C57ECEAAE2B791E30C00648E45BAC112EE4C3A392CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:38.186{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51638-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:43.606{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F21334DABAD211FCD2E25AE1A1F1235A,SHA256=D8B8A510A2E92922CBCD567D244DA708AFA03BDBEA5DBC24875BF7E55AB90852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:43.747{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10AD7EA69DAAD9D62C906A74DEBC6E7D,SHA256=829620ABDBFD2EB5C01B06C06FD02F6769B97B5B8857D93561E7AA81E048876E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:44.815{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5A35E7300317B8104068528154BAD2,SHA256=467BD280708547A80A7622F617CA2EC98F239F829378E4815AA6B4EDF97DC9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:44.636{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A8946BBBDBC28298BF7E9C475D82463,SHA256=ABDBAC9276CA4BA3E3B0E0656A73CCC28F887BDF3569166D7C6058D7B04A88D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:44.389{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C04BB33C4BDB624CDA01FE98D7390A63,SHA256=23BBD7C56D64DB98A4C8AFC626C681B1DEAA0C108CB8F7C0A664EA3922E5FAB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:45.988{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F185674CB914F600D68B7937DF534064,SHA256=48EE082953DE899F4619C022F358B37C5C7670C8B0CC9461C1DDDAFCC92DFF3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:45.667{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBAC5395142B6E428C407A31B9C41EBC,SHA256=EE4DD712E94AFD364FC18D8A041ECABE063C275F95A47088FECE18D260FA1BFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:46.804{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C79546214F68CE1BA9140A7D89EA72,SHA256=CF99DF8FAB64C3CA37E2D6EC9D25427301BB0A367F09C17A0830E20800F845E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:46.687{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\6chvkpgv.default-release\datareporting\aborted-session-pingMD5=7E1008ABA98FB9D1A0A5C52CFB173AB1,SHA256=807C7C471CD54AC21B6D2B3A82213820484FE3FF1FA0171C338DA92F5E2EE4D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:47.818{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3CA33802BD8F87BA98415246533FE94,SHA256=5A3886D4E14D48C6F9E0B20537CEF3E226B70376F43E7F87C5160DDBB1A66D22,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:44.168{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51639-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:47.015{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=26DEE1A2A4FC544C8002AC4F9C7B4AC6,SHA256=6200EE26FE9043EE0C19934C7FBA39213687719E5C827ED9A654C5C5CB350275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:47.015{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8877176848EBD2CB0E7A43123B0E263B,SHA256=BDB3E23B2146C9889D7776604199CBCE76BA216C5666E24448F3E1CCAAE33C68,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:46.453{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50434-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:48.864{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC9E4E3556AAF3858E8434484AE66C5,SHA256=B388E896735FAA09D0B11F9207ADCED6F516453009E7CA6268C48C5C3CB43A69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:48.164{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E3223D11BD72025A4C1891E38709DE3,SHA256=959AB15FE8E31718F1701860EF781263B96ACB4D6A3D65158D727679A0C56C6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:49.882{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8889452CE645AFE069BB54B0F744B7FA,SHA256=1DA2342E495270F237B1E7BE3F0BFC8350A308EC82478BDE4BB308D9536D725E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:49.245{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=278F8DDCC22BC2FE2DD860844AEF2192,SHA256=EB79D0DC96BAF99B7FF3DEEA12765268D538D01004CAAE4ABF344A018DE893F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:50.287{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D73AE8AED39EB8C614501D41DD2E6C2,SHA256=D11FC787A75ADE24F5378F0B935D684C741FE8619E74DFF03471D01CF52B2413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:51.413{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2DD25A796D1ADC90F4E4B14CB9040E,SHA256=95CC9AB1D156FE2B9C5218528B304F2A3137E09A0E4FBB9B34D59B6992508608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:51.000{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB571F5390F2A592975D660269DC824C,SHA256=9239245E4D18102E7D69F9A34DD45DFCC8E9B6651A75811D7146542A1C8A52D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:52.115{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BCF6BD29A3F44C3F2210C2D5F88E617,SHA256=2C8CFE5ED9FFBE9A112672336020C525698AA7AE39929C9B0E273EAEDAB4A1DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:52.429{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE3F7472FBC01652421E53E108AF3CE,SHA256=18E088EFFAE5CDB5381176C95D2FF709F973C60B9D95DFC72CA608AEB20AD7EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:51.485{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50435-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:53.246{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C389E22C8FA9C91312A7D338FEBDEEB1,SHA256=E65D224C5A77AA1CFDDFC013172061B83D6D8BA43297027FCD21E55575AEEB35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:53.486{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B0F94B3AF62C30E463463A7AE8C5511,SHA256=2CAB466F653C1C84EF5F258426E44E82ECF7ADD935F8378C3B832FE99FFDB3A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:54.279{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007B413CE44280C4F41FF158344D9D28,SHA256=CBA8CF92FBC13BBA5113D988AA2887AB7BB5B5375153359C4CD06E47E504EB25,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:50.185{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51640-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:54.544{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FF743C652EFBB7B8E8C9625919EE23A,SHA256=954922E84CB1CCEE6F6738050ECC83E8A94B0145CDAC8B95D8E73F6ADB4CDDAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:55.330{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF2EC1DF82ECCBA3B0C7D9AEEB92E24,SHA256=DB7CC5CB9062CF30E62C72A661C304160DEDA2BB9DAFD1885821A51D303C33BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:55.585{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F13D74737659403647D2AD1FCEAAA06B,SHA256=5EE5ED8C09B17018AB9EC22E6DDA794922A251B48CDF438A4F7DD33383763B33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:56.627{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5861950096AD2139660E237ADAFCEF5C,SHA256=8035EDB6E5D313C57E0FE6DC3168CEBDE1CBA06F199F28941DE14CAE1C1195A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:56.480{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC1EC59B40195798E43435F74F7411A,SHA256=544D179D9A519A372096A55BA85A6B49117D736B83CB26D50745EA59DBBC1CF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:56.381{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7990-6442-F902-00000000DD02}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:56.381{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:56.381{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:56.381{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:56.381{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:56.381{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7990-6442-F902-00000000DD02}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:56.381{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7990-6442-F902-00000000DD02}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:56.380{223CB5FF-7990-6442-F902-00000000DD02}5248C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.804{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7991-6442-FB02-00000000DD02}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.804{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.804{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.804{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.804{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.804{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7991-6442-FB02-00000000DD02}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.804{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7991-6442-FB02-00000000DD02}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.805{223CB5FF-7991-6442-FB02-00000000DD02}5616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.604{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43BA4520CE4B7336C3E15B752D12A4F6,SHA256=B4FC33A1813C160CE50471B8F940C185DE8AFC22831AFD3C78D9DFE32313F510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.588{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E195D03277DA5C15EA65CE09997397A3,SHA256=4943A0C8600759CA5A6553AB3A66F1D1081ACCB03C44A66BE7DD0DA70D3E9EA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:57.684{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A69E96D2E2FB9DA74269756B3D10E4,SHA256=03A5D6DC2426EC6658E01BFCB75AA3A00B193799FC60F157E42EB68365973240,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.229{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7991-6442-FA02-00000000DD02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.229{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.229{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.229{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.229{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.229{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7991-6442-FA02-00000000DD02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.229{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7991-6442-FA02-00000000DD02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.229{223CB5FF-7991-6442-FA02-00000000DD02}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.856{223CB5FF-7992-6442-FC02-00000000DD02}25323316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.719{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1DC249E4BC25617D8CC1CF19A865509,SHA256=22A8883EF5B3ED8849682684C8972E8ACA7D3DA452844AA2772FC1EF4D54AFD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.688{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7992-6442-FC02-00000000DD02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.688{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.688{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.688{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.688{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.688{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7992-6442-FC02-00000000DD02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.688{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7992-6442-FC02-00000000DD02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.688{223CB5FF-7992-6442-FC02-00000000DD02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:58.710{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33FC8C9D8C7CBA292AA03E0DCFA0517,SHA256=C918B0E22DBBB3996F44DCE75CA68FB42720F171BB8F40C34BA37B573DCE9DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.072{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C144A77234ADC6D34810A11F6B4343FC,SHA256=A3856ABA1AA650C430F425933895066D52261526ABD60A82429F63A6E04C5582,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:58.004{223CB5FF-7991-6442-FB02-00000000DD02}56167096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:59.803{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41888E63D41F65C610DCD13C0926C9BB,SHA256=48681F9D183194C3D563A6D53FA17DD0406834652E36A635B70B829117495084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:59.759{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E03C1E347CBE03938AFA2B8F88598D,SHA256=FCEFC279B3435F0F8C218189046C836B910C612B787E70FDA9D1933D48F67C9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:59.503{223CB5FF-7993-6442-FD02-00000000DD02}58324648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:59.356{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7993-6442-FD02-00000000DD02}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:59.356{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:59.356{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:59.356{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:59.356{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:59.356{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7993-6442-FD02-00000000DD02}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:59.356{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7993-6442-FD02-00000000DD02}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:59.357{223CB5FF-7993-6442-FD02-00000000DD02}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000027426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:56.204{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51641-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:59.410{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CCA1CEF5F8A091D03CEA0DA13CDB630,SHA256=9F15740EA61D2A604A9A7285771A8DDE697F1DB53823E460A28FDC7E096FCC9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:00.856{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7994-6442-FE02-00000000DD02}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:00.856{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:00.856{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:00.856{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:00.856{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:00.856{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7994-6442-FE02-00000000DD02}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:00.856{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7994-6442-FE02-00000000DD02}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:00.856{223CB5FF-7994-6442-FE02-00000000DD02}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:00.836{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079EEACF87EEE1E8996355787CDC7B9D,SHA256=33EF9B35882128317F9F6E30ED13875054BD1D09ECA04F42F29A4019E037BB66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:00.794{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E497629F6D4F396FBD794992EA638A,SHA256=EBC1CCE0C39F3EDD5FE7116D2A58AE0542E2B4714362F815AC9FC4365CC2DFC9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000022391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:55:00.755{223CB5FF-6DE2-6442-1500-00000000DD02}1104C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d97448-0x1a0b41b4) 354300x800000000000000022390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:54:57.407{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50436-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000027429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:56.504{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51642-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:54:56.504{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51642-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000022410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:01.957{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6017743536BFBCCAA2F0373421140E9B,SHA256=E4D7C97BBEC193047CE1AF065DB2495816973DE25DD4C0D0776710522DCA047D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:01.824{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0450475B4817D270C66A0FBF5FE3397E,SHA256=4A67CFCAB38E892BEBF3D701C99081EABC5D9ED2D5215D9FA6BD32E4734DAC46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:01.538{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7995-6442-FF02-00000000DD02}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:01.536{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:01.536{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:01.536{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:01.536{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:01.536{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7995-6442-FF02-00000000DD02}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:01.535{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7995-6442-FF02-00000000DD02}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:01.535{223CB5FF-7995-6442-FF02-00000000DD02}6464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:01.039{223CB5FF-7994-6442-FE02-00000000DD02}68046492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:02.857{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD075548C82B5895DE825C795F981B6,SHA256=C4A3DC4C6867BDD02D9648D1852D1B76E5DAC94CBFFD2A18CE0DE1FB2D988356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:03.959{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2AF26FC05FBB93E8699BE1C5602795B,SHA256=FDB6CC8514C11D47C96A19801FB91DF610448180AE594F84B6574659E8570A6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:03.074{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C0A0EABC4B3ECC9C92B995EC01B0FB,SHA256=6F4F55667B38AA9F7428D537F7C352831AE1D7CEFE6B7CCF7053DA558D56B1FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:04.205{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEBACB57BCB7B13880AB663B46E6847E,SHA256=93D1800159E76F9E5A65C7E7E29D3FCE0C7759043DE84CAA47358E6550446F58,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:01.260{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51643-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:05.338{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790D1F5E51BC280EEC1320CE894E6C90,SHA256=8BE9EE6BDCAA4E49B7E97E2A6C9B547B4634D8C681BF51464348943C386CE7A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:05.086{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07CF4D0ACF538DB3ABF61471830D08BD,SHA256=BFA2D5FF71789507D484A8F4F706FB29159F2D4EC75B13D9218927D0062F07BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:06.437{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=511E115E3037EFFCDFF3E140F5E2A9EA,SHA256=CDC10B353FE1D2F1CC9A9D2017C4CBF76CE8FD0CEE3FB7FA7B1914A345548B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:06.146{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6DE2CCC7EBA03AE8DF9B099B4DA8C22,SHA256=4F5A452E3F431C6DA86754CB5125CFA735B51BB1518189930DD1A141D4E4CB86,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:03.360{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50437-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:07.888{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8B21D4E69169A69235BCC54CAAC388F5,SHA256=903F008D4A4B34ECC0BB93762C713D22C9DA02E87C69AFE77C24431E50FE9796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:07.572{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=470F3D2992377E7636314D0AAB1E497E,SHA256=5A210462333DE9D26714DB10EF962583EA696FF03673B443A2E7FA5A94422F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:07.166{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB7676CEB77EA7F962E3844662F19DD1,SHA256=A3F18F1BD0382CB8CBE00F1FF75AE32397DE4D25D3CAC53C96EB630D454CB1B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:08.719{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09D3BF98AED46661C0274D3E9E0AFF06,SHA256=786F8D7FF0088717F65C02396144CA9810A2C24DD2733095798A95011D0BA5CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:08.295{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4121B5C569A92BBCB1F59DB5BE48DD63,SHA256=F51504E364EAFEA47282D0B3BDAD6EBA94324792AC1C4555E3013AAD71A64AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:09.771{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E5C36E03E6F095A889839556B722F7D,SHA256=7367FD1D4667608C9F9147DC72714808A23C0E8C729EEB6AD938DD4A850B96DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:09.354{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E0353BD86E4B24634A3F86DAA3CC74,SHA256=A800FAC9C664231834DDCF9862904C33B784630C1A04D81C5C64C4AE24B1F55E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:10.802{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2582EA4D117A9714279D537CA0A6D6B1,SHA256=7CFBACF12C324865589796694A3FCB5EC8B1B45125C15EC543E36F8D1E28356A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:10.374{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7809FD0E9F3FAFE0519BAD0AF8E1397,SHA256=B1F8AE6506142472013252D1410D2584EDC4EADBEBA37067A537853FD26CC4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:11.935{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCFE2E6EE5422151735BEBD5BA2F2CF,SHA256=CD1A46192BA70C00636647DD198BF5DEA26A4558F4EA337B4E68F1557B045805,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:11.978{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:11.978{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:11.428{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=299EAC08229408820CFF7CA811B0EA63,SHA256=B911D547EF7C891C46E8AC5406FD0960AACF6FC248CF8A62597A33171F5D3550,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:09.404{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50438-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000027441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:07.291{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51644-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:12.446{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10FC420060BF49B4E7DEC9ABA0A5781D,SHA256=068E5C28439169C2712B7E2B711519D479D0164A805FCA5F4EA83534A5DDD2E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:12.669{223CB5FF-6DE2-6442-0D00-00000000DD02}7927048C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1100-00000000DD02}968C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:13.565{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3691D43454ECEC634D558F065DEFE117,SHA256=3C5343E609AC957DC7F00A29AB5FB203CADA2C9716117F9F37FE3658E1D02057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:13.034{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C85F5B74F5042E1EE2F914CB6B6999B3,SHA256=704DD6512E4AD8EA761796DB2FC1A117C42BE004C8DF1FC42BADBCC02069E9A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:14.772{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-058MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:14.586{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CFBB8FFF3A287DD71E888D420C8F332,SHA256=B452897A71F07DD1A4DCE6E69148023280ED495863E8C65976EB4581EAACEFA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:14.068{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF92741B12CC1E709CDDFE188178EE8,SHA256=19BAA30BDF1F3B72BC2F58D56959C72DBE2428FFCF2892DEAFA2BF7C56F37653,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:10.097{AF4EC832-6B63-6442-0D00-00000000DC02}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51645-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local135epmap 354300x800000000000000027447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:10.097{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51645-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local135epmap 23542300x800000000000000027460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:15.771{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-059MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:15.654{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE64B67396D659ADC9F2317B69ED169,SHA256=80F4397CFE456CE4662C2C8FC5A396076215E82A1FE13A6C626901B6F64C35B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:15.198{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8428753EFEACAA2D3059B1107CF2D4,SHA256=14B5FEDA1A1D3EAB913A919EFA90914CEDAB3D7C3CC9B4367E3ECABA8DCA15B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:15.091{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79A3-6442-5006-00000000DC02}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:15.088{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:15.087{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:15.087{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:15.087{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:15.086{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-79A3-6442-5006-00000000DC02}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:15.086{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79A3-6442-5006-00000000DC02}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:15.085{AF4EC832-79A3-6442-5006-00000000DC02}3128C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:16.351{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58E1C3F5E809FB1A274B5417B604F725,SHA256=03966048DE906721D798BB17EB2A8D23145E87C8469240336FC28E1E90F21338,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:13.156{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51646-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:16.716{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=831691139B13FC10079B9E424EE17C15,SHA256=B476CBCEA1DE18AEA0B213A08BD4406B04F497DDDC7A2F5335CAC4D7544282DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:16.156{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=879AAC3E3EDCD40AE0C96286CBD107F7,SHA256=015518FB248332A8F03839AE2B177A935A5847C26B715BCF8B937EA7BA738F7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.960{AF4EC832-79A5-6442-5206-00000000DC02}58924992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.760{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4488A36C03CBF2D70D53CA5593A3DA9E,SHA256=258CDFC4A2B5800D5768B0B95EDA40F81B3A0CCA18C33FEEB05618DCA48F6DBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.744{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79A5-6442-5206-00000000DC02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.744{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.744{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.744{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.744{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.744{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-79A5-6442-5206-00000000DC02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.744{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79A5-6442-5206-00000000DC02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.745{AF4EC832-79A5-6442-5206-00000000DC02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:17.466{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF7884D88948BEF3FC837B28880CB27,SHA256=C1527F2BBC3864E4E636833B3362E7380BB603DB08810C3A711052C64DFE5218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.317{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6EBA3D042A0A0F2A7977C2AEB8AB8A56,SHA256=7A7F2E7BDD4885541B6A434289C8AA1A5F64E9E96E081D1BF1D791231CBDFD0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.058{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79A5-6442-5106-00000000DC02}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.058{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.058{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.058{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.058{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.058{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-79A5-6442-5106-00000000DC02}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.058{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79A5-6442-5106-00000000DC02}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:17.059{AF4EC832-79A5-6442-5106-00000000DC02}4424C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000022430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:15.419{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50439-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:18.512{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6657725993F22C49A266D196453C5F2,SHA256=1E103DBCACAE494ACAE3078DBB4B691E1C53D2F490E06D0A3CA58ED0A5753666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:18.820{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD6AF6998337FBE30675645CC857FCB,SHA256=2AB6E64C1C5806DA8D6EE36F6D673920FB7AEB453AAFFEC790AB58073AC482B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:18.630{AF4EC832-79A6-6442-5306-00000000DC02}57965748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:18.419{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79A6-6442-5306-00000000DC02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:18.419{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:18.419{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:18.419{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:18.419{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:18.419{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-79A6-6442-5306-00000000DC02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:18.419{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79A6-6442-5306-00000000DC02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:18.420{AF4EC832-79A6-6442-5306-00000000DC02}5796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:19.530{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA437AF859628B61C8B263E1DB24093,SHA256=91F9A1943B14DCCD1D9271A984A8FECC679A29D6DEDCDF5B4C7A5A964A564FC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.933{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79A7-6442-5506-00000000DC02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.928{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.928{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.928{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.928{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.928{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-79A7-6442-5506-00000000DC02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.928{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79A7-6442-5506-00000000DC02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.929{AF4EC832-79A7-6442-5506-00000000DC02}2648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.900{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4E42AB293797B87C1048709DEEC1BC,SHA256=0BAE8C3915D3B5B73D14342913E634C451F128D47B5296997FDA4E8478EA797C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:19.332{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.448{AF4EC832-79A7-6442-5406-00000000DC02}34045724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.224{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79A7-6442-5406-00000000DC02}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.224{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.224{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.224{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.224{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.224{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-79A7-6442-5406-00000000DC02}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.224{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79A7-6442-5406-00000000DC02}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.225{AF4EC832-79A7-6442-5406-00000000DC02}3404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:20.629{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B9A943DD7A74E78D95B5B45E23FEFAF,SHA256=5758E76AA528963F3526CDD66CFC9CBB4C50ABB567FA63CC30565EB468AC8823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.934{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3754AC6694515AA787DEDC1BAD20D711,SHA256=BEAE5781B4920FA4F6BEB9124A8269BC85DCC76E494651C6054C33541F02A0BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.624{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79A8-6442-5606-00000000DC02}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.624{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.624{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.624{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.624{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.624{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-79A8-6442-5606-00000000DC02}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.624{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79A8-6442-5606-00000000DC02}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.624{AF4EC832-79A8-6442-5606-00000000DC02}616C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.179{AF4EC832-79A7-6442-5506-00000000DC02}26484100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:21.728{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00EFA93B60BAEA188C8D6EE9E3CAF25,SHA256=38716C94D6C864DB76C8075B88EC84FB6E595208EFDD11B27CCF027231A5CB97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:18.597{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50440-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x800000000000000027528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:21.882{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:21.882{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:21.882{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000027525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:21.035{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\3CE3DF5F-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_3CE3DF5F-0000-0000-0000-100000000000.XML 13241300x800000000000000027524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:21.035{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D34FDAEF-E258-4A57-A230-22BB3A38D685\Config SourceDWORD (0x00000001) 13241300x800000000000000027523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:21.035{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D34FDAEF-E258-4A57-A230-22BB3A38D685\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_D34FDAEF-E258-4A57-A230-22BB3A38D685.XML 10341000x800000000000000027522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:21.024{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:21.024{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:22.728{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33B27F43ACE466DD26A03EFB9126C2C,SHA256=0626FCC9764EEE3315E2EB2FDCD5E55739C6E8FC5B14746A5F60CB93FBC7551E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:22.985{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE2B18611DBE7AC5D516A1FEC7A20546,SHA256=AA83DE510C46D80B8D28052E82946139983BD61B23084022831F2A870BF2A198,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.000{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51648-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.000{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51648-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 10341000x800000000000000027537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:22.727{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:22.727{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:22.727{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000027534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.170{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:f860:867e:9ac:ffff-56748-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000027533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.170{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local56748-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000027532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.168{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local54516- 354300x800000000000000027531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:19.166{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local50364- 354300x800000000000000027530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:18.266{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51647-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:22.026{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1360ECBD604276A7C93ADF2E6E4A2514,SHA256=C07AE9D3D806528BC17CBB80126B5EDC436D71F61DF5ACB82439CFAC9EF7324E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:23.947{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-048MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:23.846{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EF35A74DBDD14AC3566E7A926670D48,SHA256=4E747E3462A5F2256D2688CBBAF11C4BE18CCE385B34E8596C9D1D7F0EDEE72A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:23.069{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC07541BB3E3B12BF82841E78D3ED4EA,SHA256=882FA8C7D509605E24BF9E20D6F4FC3A46E50378DB861903B156702FE5D2B988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:24.949{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-049MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:24.865{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5AE5F3D088BB271EB6559656D11953,SHA256=AF0B76347235ED5F8048E288E25C0F63EA97D40E42875B622AF4F1BF98D8894C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:21.348{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50441-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:24.088{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93148987433881B5B395B211806742E5,SHA256=F449B32F7B785DA4D490CABBCAEE8C5ECA4660A02285F41B839606943A39F28D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:25.949{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A35F71C07052D44A11DF2D37BF0997,SHA256=AF56F058FEF921531DFD970EBA729E44247ADAF009A0001A38628952CB75455D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:25.236{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0777D497D301614395CC3B52678C7D6,SHA256=3E56DFD190821005F0EC7E55E0435622549AC1533106BD81DDF57F12BD512596,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.844{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51649-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:20.844{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51649-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000022443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:26.982{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1993C04F6E8D2F0B9ADC5ED778B885,SHA256=69DFDFA00072A599B5C0A2B908A6618EE104216A46CDD666D4F5A898BC12ED1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:26.280{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F05EE73AD1FFC3ADCA79866517969B,SHA256=C24E852DD2391926AF69FA1C7F42F20988D9175705A1D0B663506AA706B46A48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:27.398{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795C7BDD5645F6273BF5CF1B6417FFAE,SHA256=A386917CC67D827320C61B231788F0B5BB4DE54EA9FD431E4B33468FAD743AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:27.383{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:28.444{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9F62C3EFE32130337D0D17056A4EAE8,SHA256=F1A92A4693C86FFA9E7EF123430E9BA18EB14F31F40641CC292EB19FA59F87DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:26.436{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50442-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:28.301{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=749A2284B287E62C48CCC4D1A26D4523,SHA256=EFB307A5F73B2133C211F66846931E6204F4E7E59A6C6A458C7AF9EE8B3C6981,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:28.001{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C19268DB558BB44843E7CDFC8F28B6C9,SHA256=9CA3549215777C9061C6CDEDAC55DE344CB9B075BEAD2D6EA4453EA700843389,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:24.180{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51650-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x800000000000000027562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:29.773{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000027561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:29.773{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0037f6a9) 13241300x800000000000000027560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:29.773{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d9743f-0xc8daba53) 13241300x800000000000000027559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:29.773{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d97448-0x2a9f2253) 13241300x800000000000000027558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:29.773{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d97450-0x8c638a53) 13241300x800000000000000027557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:29.773{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000027556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:29.773{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0037f6a9) 13241300x800000000000000027555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:29.773{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d9743f-0xc8daba53) 13241300x800000000000000027554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:29.773{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d97448-0x2a9f2253) 13241300x800000000000000027553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:55:29.773{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d97450-0x8c638a53) 23542300x800000000000000027552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:29.487{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F9A6C4A68FDA520F68F3B2B67F080D,SHA256=4F60DA7F84F15D420EEA2CB64C135E9EAD95F259D754B78778AFDD4112F8374E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:29.019{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F53778678B5A4E06206A1A7642D0FC45,SHA256=F6385B9E1ECB369C48206A203736B9B3F29A7EE13D9B541E309B8510CF6D7753,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:25.484{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51651-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000027564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:30.527{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E25744F47E6B373E307F520C3BD66F8,SHA256=144DADF322835E151D23AF18AC29AD31807DBABA9FBC4F73F523E8BED0A8B6FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:30.074{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7824AFD4B0DC9F7121FC24D9EF755E,SHA256=E82EB07C39BCB12527B2F66458D5836C825A7B5D52708D7948381C39476F21DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:30.248{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=DEC84EE944E138CF6F7C5E9D3B02A3FB,SHA256=077A655F476E51E3B4BBA8E7F2ED22D40CAB62038288FE7CE0EB39B76B7DADE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:31.935{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B5D-6442-0100-00000000DC02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97952|C:\Windows\system32\kerberos.DLL+79c68|C:\Windows\system32\kerberos.DLL+1458f|C:\Windows\system32\lsasrv.dll+2fb61|C:\Windows\system32\lsasrv.dll+2da46|C:\Windows\system32\lsasrv.dll+332d9|C:\Windows\system32\lsasrv.dll+30c27|C:\Windows\system32\lsasrv.dll+2fb61|C:\Windows\system32\lsasrv.dll+17bcd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000027567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:31.812{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:31.812{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:31.596{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F8988F9B3D9693C62B4EBC01B420BE,SHA256=4005D2AC3C3D5A771B95C4947A5C5D485522B320ED0C3CBD67FA268F9BF15D44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:31.092{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=610E8FA15AC1C6C7C76134842C53517B,SHA256=A7F4523F55946AFEF6DA0FC61B58FED27C696D650E58050B40475CE4898AF3D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:32.899{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34CE163D9FB9EA46D0BFA4B60A86B1DD,SHA256=24139E8D1E22DD08D3CE0085BF432BA72EFCF855B029C7DE9C587C85FA15B968,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:29.941{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51656-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:29.941{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51656-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:29.931{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51655-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:29.931{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51655-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:29.931{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51654-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local49666- 354300x800000000000000027573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:29.931{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51654-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local49666- 354300x800000000000000027572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:29.930{AF4EC832-6B63-6442-0D00-00000000DC02}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51653-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local135epmap 354300x800000000000000027571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:29.930{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51653-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local135epmap 23542300x800000000000000027570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:32.633{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74D3010BBECC750A7EDB142B2673D9BB,SHA256=9DC30F4A4C52CDE763C60F2FF5E9A5DEC99CA81BBDB7D57F474EA58775F0245A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.680{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.210{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14DF8D86702569132727D56C15BE4A38,SHA256=D63FDB0CDD2360413175B0A70BFA5A84C7E36DC43127EEF06FDDB56B380EE152,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:29.279{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51652-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:33.582{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ABB30D17330472E056D150170CE7CD3,SHA256=EE466E2EA3F5532C8F0F62478B9A0DF605055DF715B62724D6E7D787611B38B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:33.685{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5822659504476509E081A2EC0B97406,SHA256=6515EFA2560A9123C53793204813E341D0380373EB730840DC8E62E31CB2D548,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:30.049{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51657-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local445microsoft-ds 354300x800000000000000027580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:30.049{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51657-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local445microsoft-ds 354300x800000000000000022483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:32.413{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50443-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:34.684{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6F940E19A14A4A16E262FA10223B759,SHA256=A9701F81D0078EF1C7DE282E3972152C193B3E8B485748756FAF118A26CAF98B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:34.703{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10092EB0A735C245B2F3573D6093FD71,SHA256=11A203F2877F43F9B880537A96DD70F6BD677862C229DE2470E57D82C0523699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:35.803{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81E91F0A4C8E24937E15354E14734D1B,SHA256=8434F7CD795285DF0192D8B536F909F742B7BEF458C51F45291F49CD65593217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:35.721{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42249CA90FCCA146D6300ED5A5AA2BC7,SHA256=39B1A8F205FC3AFF14F2C09829B36F064097D9297500340ED5CE4187BF939FC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:36.837{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A182024438DA273DDFF3270A47F30515,SHA256=0D196686E473D2D46D187D6D06C0A0A70A5E52E85192C9DD30561B400F0352D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:36.741{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55FE20825E7C31624B87B3AFA423C263,SHA256=0700F86F38DB6B6061E2EE5C958655E2F1EC253B2F62A69A1C3282D5272017FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:37.892{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4866808BCA5CADF6D6EB324C6825A2E9,SHA256=F93A215706A5CD34C5EE681950D463AE7C5B0A420EF69E5AA1764CA36C180CE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:37.795{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25C9D8BDE04182CA8CEEDCC57A9A6360,SHA256=8EE349D7ADC02A65A48D8776056762129A6C2CACD05E423A73756D31FB725485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:38.940{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19FEE64EAE6FF625A5849A2FA74F5D18,SHA256=83559872E1F2D6BF7E987B1FC7EAF60A1B90D0ABAA74AC43D117E3516C561FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:38.813{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C6F15C056F23FCA2D469995F791CD0,SHA256=6849F3A0BAB8B35E768014B8AA243857B71549CFF9CC3B3D1CA4AD95B15C72EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:34.281{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51658-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:39.960{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A9CB543123A0FCD02F49A9D36E3E664,SHA256=79BDD52776030C631FC2E4F7C22573A7AFC26F2F70B02D07294C1A24073B1685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:39.832{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9EE661EF5DB45B6DD1FABB31378B93E,SHA256=28650D62364F7DE63339AA1B515371CDBD1786DD6315F64F5590DB5A108B7F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:40.983{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E69639EE728DBD283244CEB542C7DC21,SHA256=58CCE6F92294EB01F35880BA8A4EEAB859A0DE0F970CCE599AC237B3A1346C89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:40.852{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453F723DD062B0E74D2BA8DAD9E836D7,SHA256=DD837522B7A36449CCB73D3230E9FFD5086AF71597B1637636A3DE91119C02F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:37.493{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50444-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:41.980{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=840DF1F6F4124336E7DF1207EC6FB487,SHA256=36614E5D056864DEA7CEE7D6808463553E686FD66EC864987E64F10D179B4107,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:42.102{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7484BDF600778B5838B3FB9EF22F6445,SHA256=4B6393D415597A9BDD9C6CE39938F2ED304B28C8A70513DB19C991EE7BDE89D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:43.236{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D530AD5E2337A1DDCA7AD191DB5C69,SHA256=2DC215ADCFB5FE09433CCEB6104FA41ED644799583596A1D0FAD2E62CDF3415E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:43.758{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF549BB191B5B694D9E8145CE8B10524,SHA256=F7C40843010A630FB626251AC893BC8B715DE803D15B57F052DADBB37D12CAE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:43.024{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FFDF7DAD924B9E0C51C9EA8FC03C3B0,SHA256=875042E22483C0E3DE99F234D494CAAC040429314995CE41DEDF34995CF60880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:44.254{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA90F9FBD9E3E9A89F9FC7B90293447D,SHA256=6D6729F78621176FBC99A8113CB12DF912EC366DC5C9DA8A37260DBB7E51FB97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:40.253{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51659-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:44.059{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5701835DF7C843FE4CF22B2A185C86CF,SHA256=D1CA798BAFD965D8BC7FF053134D07A738CF36D4D0FCADAC6CE1E1BAC8C2A55D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:45.374{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C71EA756B659E3AE5F576B3B99650D93,SHA256=7848F9AF7839F101E4AA4FF91ECA8EF61C45B5B94E66AC381DF64605831B3179,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:45.790{AF4EC832-6B60-6442-0B00-00000000DC02}628676C:\Windows\system32\lsass.exe{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:45.088{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BFE11B367934161E95C086EEA002DC8,SHA256=535264DFC52EC9D9245FBAFE493BCB61A12EA60CC299975209D3DFA9FB770BC3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:42.504{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50445-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:46.412{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8EFA3A65A4901BEB2006227671B8B37,SHA256=7FA9FFD4F3DE64BF29FD6A6E6DD0329566DE2BC77A9722990EAE73F013C6CAA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:46.116{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46BA99E646BF08424DB31436999EE0B,SHA256=2E7E59D5C3BA8765B2F845DD481A474C53AC29E6E1E4022587C20B62E00D3AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:47.431{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C41F3D3082188D7AFBA086B737F6BA,SHA256=77C9DD477CE4243C76A514DD3C041507803584467690DE37138EDB20378DB934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:47.550{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F63D1092484F43B122EA51CDA42514AF,SHA256=7BC9CB30C7C05092AF22A027D260A73558C67CF7CC584F660F6E2C9EF08B3A3F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:43.907{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51660-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local445microsoft-ds 354300x800000000000000027600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:43.907{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51660-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local445microsoft-ds 23542300x800000000000000027599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:47.167{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667FD2A99EBC9DF01F7D6ACCFE1F7D76,SHA256=E189A0CFAA500559DDAA66D34C0CAC5A31A2AC05A50C03F6A86748942EB939D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:48.464{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=770B38C6F686E7779A8CDA65B59B02B0,SHA256=D4068C434F3B2F40B3E4CADAF991A14476899B3291B537B35A007600BA33AF47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:48.236{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E86B75BDD411CB5EC660124274B8991,SHA256=1CEEF4CF518786D6AF07E10C507A529C298E54571D9ADC993E322233CD9BD348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:49.585{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85B5C5EB4DEAA69CBE48B49FA5D9926,SHA256=45703C67DDFC3AD747CDB6515B6E76D416AE88209803EC5F72D3294156B72F08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:49.372{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51166AC8A06EF2659128A90356C1C668,SHA256=C4CE105F551B5A88BB4C30FDED8EC734109E194B65675189DA2B98B246B411A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:45.279{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51661-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000022501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:48.368{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50446-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:50.625{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D033599D5FCE4E3348BBA5A98F4963,SHA256=6B277D79485559E6E13B9CC04524F650176134CE784C6713D234DF0AAD4907F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:50.326{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D80CB6F83DC176B6AB30AAD207000A,SHA256=026D2022F5898BE17401B32A675015EE59E4E8D03C88786BB45036258AFA1820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:51.643{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A63788191650DC90644C77A3BF3B7D77,SHA256=BF6792F37571410F82FEEED657638BDF8F9795D84FB01683D3BDF76FD477E46D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:51.344{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E38B82C2A1F7FF631FAC3C6A91333C67,SHA256=3DD2F888C4636578666D9DCDD790F9EC6E0300D4004398B02C082CA3D208CF7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:52.777{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E216F441D75D235239D30AE7FBC5220,SHA256=273C362A5F49A414151A272EBF2C10ED17A2946C49CE178493D8D19EC48FB614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:52.405{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=999FF525F35A9DB0334F45D7F0E22F40,SHA256=503A152F703F9BCB8D61FA60C1F6E76A49006E71221F0402872F67D3CE9E7B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:53.897{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4154BAC28ED9DE7D03C9AF87AEE3F3,SHA256=B99166D3595685754F3A4A34F430D956B026A114D35FB1642E5745E8275037CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:53.433{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D8732ACEDDCD85D838D20FE29825A22,SHA256=237AEE107ED3ED8FA8BB27B5B4E59E7EC1A58A301C9B4CFFD29F882BC6AC21C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:54.920{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD79BDE3F017AD0DCED5B59D81CE8FFF,SHA256=D18ECFF45381AB51781978EA3D0ADDD4A4DDA1C8F56056741552FFBE3D0A8F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:54.467{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B76E5D5204D337A77B8717A79395FEE,SHA256=A3BD69AF976FE27596C5B2301D8587A7F08D1034A5F6B6761C3731F8EC2E0F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:55.487{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5449E441CEBA428A816C4C0102DDE790,SHA256=EBB3EA57D887276E593945EC009E0EF202F3FF0CD97E36472782E99792E3F1E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:51.320{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51662-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000022515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:53.480{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50447-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000022514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:56.340{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-79CC-6442-0003-00000000DD02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:56.340{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:56.340{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:56.340{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:56.340{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:56.340{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-79CC-6442-0003-00000000DD02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:56.340{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-79CC-6442-0003-00000000DD02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:56.340{223CB5FF-79CC-6442-0003-00000000DD02}4064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:56.039{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C1D03354B26B06D644485293A2BDD8,SHA256=9E12B57AA445A8DDE671E404A4CF538DDF14E28421D12145931E5CC379EA317B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:56.542{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3085F5E56459CA9CEA3420ADD4F1D358,SHA256=BA2A02741812D032086D89C4B3CA5A57D9C619CD16FBABB9930B6D872CE0A66F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.909{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-79CD-6442-0203-00000000DD02}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.908{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.908{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.907{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.907{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.907{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-79CD-6442-0203-00000000DD02}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.907{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-79CD-6442-0203-00000000DD02}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.907{223CB5FF-79CD-6442-0203-00000000DD02}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.489{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A1D43D798173FA14E67A8BE9EBA9139A,SHA256=5402ED058282FC1DA8E9A6F2CC0F172C57A4CC377278B64593F77CFB3D5D3A69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.430{223CB5FF-79CD-6442-0103-00000000DD02}39566844C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.358{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B16728A0A652B07E7A18CF323D8F4579,SHA256=441C09A521603294D37F9A224B04A9689404BC7EA91783AE5DE175011FF085A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.242{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-79CD-6442-0103-00000000DD02}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.242{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.242{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.242{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.242{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.242{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-79CD-6442-0103-00000000DD02}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.242{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-79CD-6442-0103-00000000DD02}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.243{223CB5FF-79CD-6442-0103-00000000DD02}3956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:57.088{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1387428C6EEDCE6696771B605512C83E,SHA256=F0AAA0E3222CD71DDE74D7D8CFA6BBA148991401B2CDDB7C3F991C30005F21A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:57.576{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE2B13CEAD0861D0379E51F92D801DBC,SHA256=A1E34D8A3A28C5DBC284BEBC776E7E5265EA93FDD3CC6E45B4A7ADC55AB0D72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:58.622{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0884FAEE1254F420DDEBF4649E9F5118,SHA256=56BE4E7162211A77C681A708FCE63B6F33D2A28BFEF6D9CE9F9F5278259A9C92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:58.730{223CB5FF-79CE-6442-0303-00000000DD02}67085360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:58.545{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-79CE-6442-0303-00000000DD02}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:58.545{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:58.545{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:58.545{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:58.545{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:58.545{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-79CE-6442-0303-00000000DD02}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:58.545{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-79CE-6442-0303-00000000DD02}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:58.547{223CB5FF-79CE-6442-0303-00000000DD02}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:58.112{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AFA2B90278324B947C61219F7330921,SHA256=8CBE33B9859D6AA9F9D398020EB5E569AC4E820460065C880A469359A79A174F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:59.666{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A529FC61AC94ECB539ECC5AA89CA0A80,SHA256=86F372406ACA113895393D5F1CD89508740AADCE36F87012E8BBEA317B1F9CA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:59.314{223CB5FF-79CF-6442-0403-00000000DD02}64603552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:59.162{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4911A80A14E705FF9AC7E8647C777C,SHA256=75B3221E1D91E2D6A3B2777071E6B5EE86843AC88F105317355A46F74507FA34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:59.146{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-79CF-6442-0403-00000000DD02}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:59.146{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:59.146{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:59.146{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:59.146{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:59.146{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-79CF-6442-0403-00000000DD02}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:59.146{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-79CF-6442-0403-00000000DD02}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:59.147{223CB5FF-79CF-6442-0403-00000000DD02}6460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:59.465{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1329CDE0A1CBE08E68C91713E1ABFBCD,SHA256=712251D004756558FCB8EFF4C483C53115D424C07512EF1C4DFEB308CC9ADC4A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:56.334{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51663-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:00.702{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49859B578F13C955C6A4A42CB2292A8C,SHA256=228AF66108B52AF1F35490D5B039407F0A1D84BE15E34F364AA2F14F1F496A37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:00.866{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-79D0-6442-0503-00000000DD02}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:00.866{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:00.866{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:00.866{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:00.866{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:00.866{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-79D0-6442-0503-00000000DD02}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:00.866{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-79D0-6442-0503-00000000DD02}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:00.867{223CB5FF-79D0-6442-0503-00000000DD02}6672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:00.180{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678CBB14B33EAE9E8A7DCE356E0B35B0,SHA256=91333C0AE9888540F64AF63EA457C013F9F78DA568B2884C785FA3C754D69C0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:56.534{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51664-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:55:56.534{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51664-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000027622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:01.730{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D061333C1A7697329BA2420A3BB9E2,SHA256=85F694108E2903A9C4AEEBBB65E2E3689A865E1BAF5690C0D1F20196AA5DBD91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:01.459{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-79D1-6442-0603-00000000DD02}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:01.459{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:01.459{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:01.459{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:01.459{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:01.459{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-79D1-6442-0603-00000000DD02}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:01.459{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-79D1-6442-0603-00000000DD02}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:01.460{223CB5FF-79D1-6442-0603-00000000DD02}6856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:01.210{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4DAF79BC3A1E7A2FDA7BC31FCABAD3A,SHA256=A48184A757BF13825CDD910EBF39BF9402D6548D4D36AA983FA04C2F976CF266,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:01.200{223CB5FF-79D0-6442-0503-00000000DD02}66726964C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000022565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:55:58.495{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50448-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:02.860{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E5FEFBF9A4D18ED4426D2571286A10,SHA256=C389A1A32D3964CF26645AFCDD22C6D8F704CF763CC30649E8DE378DF70A0B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:02.260{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D520F142D214B82F373D607DCE35407,SHA256=064449E88EE7DDF925C4F13A7CE2F9CF195BF69DCC9B5DE4555AF670BBE54E5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:03.911{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBDD8FBFB70235B71E3F65585B0FEE74,SHA256=67D1BD092D684A0C0D3D7B201F94BC7EAC1D277C7CAE9945EA5DAF92AD06BD4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:03.294{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391FBF90376C6B4CB74C23436E754F00,SHA256=42DE31F676100670D6D769B4730B309F1AC58010AA24730A64934A26B31F0713,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:04.949{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6172C6CF025CAF8B58A73864A2ED0E,SHA256=5F8F55F99469E19B36F14BEE3E5AA6F7F71E7731A54C7DBC2F2FBA10004159E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:04.314{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C656F18949E6FDD133E9375640DF251,SHA256=510743688EB17A7437F6291D3A686E643CC30A5A550CD7AD4E39F161E69949CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:05.337{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=968F531FACC507BC35A63CEA8E846B35,SHA256=AB11CEE19029F222ABB227EAA7AC65BD5365FA64DC5BA21AD88B2CBF857F6706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:06.355{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8BFC63FED6BC408EFCEC6405A754DB,SHA256=2DCA0C94A796EEF1C5DC4F1E52CF2A7602BFDE2CAE5B465D728E1C66A1601644,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:02.349{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51665-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:05.998{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6520014FC794F1393A0017688AF794D,SHA256=A6E2977C67300D7FBAFFA0FC2703B2B9B757DD81F9B8BD78AE1EAD9B9F554B21,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:03.949{223CB5FF-6DE2-6442-1300-00000000DD02}288C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:28ff:2bca:f5ff:fef0win-host-ctus-attack-range-328546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x800000000000000022580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:03.495{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50449-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:07.906{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A3530E21EB951EE3534200B4F25BC2C0,SHA256=76FCE6C2690BF84E368C159311522DE81B92C1CF14A68DB4ECAF986D3BF0F8A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:07.389{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C9ED6D669902206903F9EEE17FD8E4,SHA256=24AB8AAF00C978A0EF28365899004E261FE59A4F3813669EEECD9F74310BE099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:07.044{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8006752A16A0C9C7C207F55EEF4DCC7,SHA256=99FAE3B61D15831DEFE48F1D17ED6139A0CEAAE070E7E7DDAFF941C58E550B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:08.507{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA22C9C4A584203DC146D03EB68897B,SHA256=57458F4B18014060AE7D8C532D96E0DBB4907847C2F4F92011B78D57FF28B4D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:08.088{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=717905B58A23704264D09CB0C90B2BD2,SHA256=65426F8D05B82B307C49857F09C6DCA82712EE2C79891EEAF6F2546DAC66A062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:09.547{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE52E127688671C7FB6BA403507BB039,SHA256=0CF3AE4AA54F64F18B72A0CAE44E977B7D6EB8D60B1A11AFECCBD603DBCFC2AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:09.123{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2D0B30E1D0B657ECCFE0CE151CAAFEE,SHA256=0B0DA3B1BDC10DE7609CB92C2AC491F5610C52B5A5237C088EBD9C21771C4FCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:10.565{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C54C23A9A57EE8EF67AF971538FA391,SHA256=54352336DCA3FA72A657399DAD4D42FC0BD3776790199FC35C016771F1AFF7DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:10.152{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD06219D9BAC3FFE39E66F70CD3F926,SHA256=0FAF57947C39EF0CDDA409644651294FBB7399E91D064D7E3468E831D146316D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:11.631{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD3558273CD83398603F5E52C9351228,SHA256=BC1D044B562B2FDBDCF5D744EE4BC1B08C958B13C25F73400F495D11A44D2006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:11.180{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F31FEB44761D208CA4573A270103815,SHA256=D9EF93BE4ECB56F29F923C7D4F54A2431B97D752E6502EC672B6C72A3B943EAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:12.670{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ADE42B2D0C0C9FF6901009E80F1D710,SHA256=B3DA9440D0F0F30FC6F1A6CAB659E5FFE6F95B769DC86DC9CB38B0A522210D6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:08.238{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51666-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000027636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:08.125{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53165- 354300x800000000000000027635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:08.125{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local49310- 354300x800000000000000027634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:08.124{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local52525- 23542300x800000000000000027633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:12.214{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A57A6E051F9886C16FEC8C34C9EEDE3,SHA256=DE60ADB3F4D0DD9698EF3701F5F31FE058CC79EAF7D33681DE188F7D8BFA3C12,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:09.431{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50450-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:13.720{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703EA97B90F1A927D9F5AE3ACD3DDE7D,SHA256=8FF41B0D3FF1689E1B837EFA071E633ACD03D4007FA3EFE421B3978DE74FCD1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:13.284{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A538CA6516673EEFE932AF32C8BC153,SHA256=A38DB6691102D2864ADEB4AA90CBEEBD7586747101FFBB8AE9C1B1E4D276062F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:13.235{223CB5FF-6DE2-6442-0D00-00000000DD02}7927048C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1100-00000000DD02}968C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:14.839{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C5EEF95C277B321719D2241E1FFFBB,SHA256=0139B7B096FE544775985BD9B574161B8F78B54076526C9FC73E99C6BBF7EFE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:14.316{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6074ABB11276A13135781BF5213371F7,SHA256=98719E7D62C3A4DFDCCF17BFBDDB76F560D868AB35EFA9A3161B1FD481B749ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:15.892{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A735A2D00A8A5647A21C4418A8BAFAD,SHA256=EC354305D9E2D631668DF61944F2077758176FFD12A73178083B7C05F831CBA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:15.447{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A58334C507EF420254545002454D7D7D,SHA256=93127F0269A54AEA53B926BDA93FACDBA0DB28C1D55EC64B0CD409F43ED8807D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:15.102{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79DF-6442-5706-00000000DC02}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:15.102{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:15.102{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:15.102{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:15.102{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:15.102{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-79DF-6442-5706-00000000DC02}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:15.102{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79DF-6442-5706-00000000DC02}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:15.102{AF4EC832-79DF-6442-5706-00000000DC02}5672C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:16.910{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41E1E0491E9335B6D9B99B487D45B07,SHA256=F399B8D6C8FF264337C6BEC13F3DD984DE31B06842145917ABD2AB2D3E0C95F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:16.549{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0E1E4DDE310C078E02AF4B0F2AD886,SHA256=8F338A91B06FACF368BC110A47A3CED4543791D4D9C2A8C5BFE34FC8CE3F3CFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:16.301{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-059MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:16.215{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B295628650EBBF9DBB0570651B596506,SHA256=39FC73555571AA674C01D5C363E5204E55D71DDBEA0EB748B0C1B9B07CDA27F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:17.929{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9536CF31EF82DF68F89CC22CD906C2D6,SHA256=C1A196436572367BA77F2851066D6F0E46291D013617F81F775903DEB68637E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.701{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79E1-6442-5906-00000000DC02}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.701{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.701{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.701{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.701{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.701{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-79E1-6442-5906-00000000DC02}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.701{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79E1-6442-5906-00000000DC02}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.703{AF4EC832-79E1-6442-5906-00000000DC02}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000027662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:14.209{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51667-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.632{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245E1B900CF040A040D1986747BF3322,SHA256=DB2FAE570D49745A5CC1B88C04F90D60E2512FC8B886A57D9C51F58267FD6EE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:15.360{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50451-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.302{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-060MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.075{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79E1-6442-5806-00000000DC02}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.075{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.075{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.075{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.075{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.075{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-79E1-6442-5806-00000000DC02}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.075{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79E1-6442-5806-00000000DC02}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:17.076{AF4EC832-79E1-6442-5806-00000000DC02}2852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:18.948{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C28A787FA0EC045B73F22A7321FD6D0F,SHA256=9260C16A1E94647F9DE4B3C6504AF46C70630EA71AFB958CAA48A7C9E54EFCED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.699{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F98F09EC7AC043A609859CBA2DD978FF,SHA256=1D9D7F080905FFA711EB9468530904C67BF5C7AEC8DD5D838EF3BF906957E30D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.484{AF4EC832-79E2-6442-5A06-00000000DC02}57564520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.320{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79E2-6442-5A06-00000000DC02}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.317{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.317{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.317{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.317{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.317{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-79E2-6442-5A06-00000000DC02}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.317{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79E2-6442-5A06-00000000DC02}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.316{AF4EC832-79E2-6442-5A06-00000000DC02}5756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.012{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=263FC21AE3979B63392CE6501C3772B5,SHA256=9BEDC0B715B55A541A3E8E562FFE3C80D9C2B22C32D6D26639AFEC6C6FD72128,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:18.008{AF4EC832-79E1-6442-5906-00000000DC02}65881508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:19.971{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2ADD98B05BFD0AD95EEAE6D0BF49C4E,SHA256=8DAEDDDEE2796A5A8F030DBA59BD8AF327508D43BC1E29A2DF2DDE46AA65309E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.901{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79E3-6442-5C06-00000000DC02}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.901{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.901{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.901{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.901{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.901{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-79E3-6442-5C06-00000000DC02}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.901{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79E3-6442-5C06-00000000DC02}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.902{AF4EC832-79E3-6442-5C06-00000000DC02}5632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.820{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3E6CCC04C87713E134A7F988A31C92,SHA256=108B5AFFF74F3451F8D925DAF229F48F1EE94F481BD8259BE933B7D3FCD951D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:19.370{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.244{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79E3-6442-5B06-00000000DC02}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.244{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.244{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.244{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.244{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.244{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-79E3-6442-5B06-00000000DC02}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.244{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79E3-6442-5B06-00000000DC02}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.245{AF4EC832-79E3-6442-5B06-00000000DC02}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:20.990{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F4423CAB2A2FB8851B311FFC2C083E,SHA256=A3227B5E735D0B25858FB476AB8439C21583161D2E8A02DB2D1A5D7D8984E4D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:20.951{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81B0074ADC4E0B46437FEAE6C9E00A6B,SHA256=7B467AFB0C871732132F03DF16AC064A941C93637D79C2C1A65445BF957ADCAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:20.710{AF4EC832-79E4-6442-5D06-00000000DC02}68406000C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:20.526{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-79E4-6442-5D06-00000000DC02}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:20.526{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:20.526{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:20.526{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:20.526{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:20.526{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-79E4-6442-5D06-00000000DC02}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:20.526{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-79E4-6442-5D06-00000000DC02}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:20.527{AF4EC832-79E4-6442-5D06-00000000DC02}6840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:20.296{AF4EC832-79E3-6442-5C06-00000000DC02}56326824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000022602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:18.631{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50452-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000022611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:20.469{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50453-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:22.139{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305728D333226330C8E580E6C2942F52,SHA256=2FFC4F795D726842AABEF6CD3F535670422A2A3BC9AED5F141E05734640A8FF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:22.033{223CB5FF-718D-6442-6A01-00000000DD02}35961160C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0815|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:22.033{223CB5FF-718D-6442-6A01-00000000DD02}35961160C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e072e|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:22.033{223CB5FF-718D-6442-6A01-00000000DD02}35961160C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e06f7|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:22.023{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0ea0|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:22.023{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+bb490|C:\Windows\System32\SHELL32.dll+e0e5c|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:22.023{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e0e30|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:22.023{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12c9d9|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000027712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:19.261{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51668-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:22.068{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EAF3C334724CCBAC07C3DBFB860B440,SHA256=E632DE430376B80009885EDE415914880149170E745402DDFB1B94A41EE3B421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:23.084{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4FDB5FF922AFB0EEA50575E9B174A1F,SHA256=5C53F17169986E15C8741A34E5C8C66D7CC8440F6ED70476C0D4A383A55BFB1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:23.103{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CAF50A44D33ED297A1A35EADD37DE4F,SHA256=34048AD7CE26AFD44AD4705C1F452F2B88329703F186897401DBA5B7EFC8B5D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:24.214{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BED639EAE73E7A810A4206A6AF7FA948,SHA256=AFB75BAAB31659820D20C3F2B20EF291293784A85A34502D0DC5904F33C8043C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:24.255{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F32F70CD9914D1A5711175A632A151A,SHA256=A5E4CD23F06532A49F764B7FD09B2E65AC3F16B5CD1EE1272131A773D6FEA383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:25.465{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-049MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:25.230{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D74ED76FB4C1BE02AAB74585B2F144,SHA256=7288B15C805A777CA6BF5686CE0D94908704853AD08506F6912ECBD55B48545F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:25.356{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1320E2EEB46B3C4BC36DE99F44DB1B8,SHA256=F88D7163876AD5EC9D7D6DFFCA7F95C7A2095691C52B34886F031BB32FBA7C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:26.388{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CF628F45FDAE42FF47282D9EB4ABC0,SHA256=EBE40C0E192B954D0ACFE3E970BEBB66B0112CC76A949967C6D9D9F45430757F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:26.466{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-050MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:26.266{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5FF6BFAE110642793DA12FC067E6F4,SHA256=97505183EB67861B3AEABB5FE25387FEF50B0836240D1347E0242CE792942D6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:24.314{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51669-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:27.433{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:27.408{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5204A627CB50ECBB278CDBD088A86D9,SHA256=16B5A5A40BDC9109781188E7EF008C8061F17BED85E622AA940BF587E4EBD808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:27.420{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7181EAAE3D1806B60378DCC4158ED339,SHA256=14A44E5410F2744C5851A3A132337FE4CBA88DF2F04C6490479412B74FFF6D19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:27.289{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D93410F4D4E3D5213DBF97159D8315C4,SHA256=0B935A0979BE0C634530B11B317CC82B7F5E119128FAF8EBA88B6D32735B283E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:25.514{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51670-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000027720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:28.560{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA5E0CD8D5CE754F4175C50399079AD,SHA256=49F460580FC8614C0C7765951441D3B1E8F1E19B42AE6417CF3743C35B15FBD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:26.402{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50454-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:28.322{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B8E2C2EA927DB3A772FB034AB58C6C,SHA256=8DC0CDA518ADF3E14D4BE9DEE3A9A6C7CB372C456E7F55E065E870DF24B83328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:29.576{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15917FFA89E4DAD763D7F1B1C3B4B9F,SHA256=9B0F3FDC38B9E7802DC6F5A2394D3D9451267583693CB4C64D557D729F9F890A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:29.441{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6398FD24B5D6B396B482D89BC1F7BF8D,SHA256=F1738E9DFD8215E62B9E7A4DDD61F9696B07702CC304B0C75D9FCE770B4267D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:30.693{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03254ACEB0224840059D6D3EDF60A250,SHA256=A9E738F09B32450AC3012A06441D0ED25B77B50C0E0D73A686084B7C33A255AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:30.476{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7203DDCCDF790C2B47F3D4A867F7069E,SHA256=7BFF68003231B9B38780E4B901E04A21F2D1E8704FEBB0A4BD57A65653E9F4F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:30.262{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=589465074D9192CC5822F823731B2EF6,SHA256=171E6C078859056D68332A9D3E4E9ADA9B53C04B0BE66C1C57E6033429F79F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:31.795{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8B1CB095D74A0259E964A98874AC33,SHA256=6B953F9E4FBBAC58482B9293B631F8995905F32274AFDD522A0E82CA1FC4BCB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:31.498{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7D6C744BD10A8F74F71BE216165C8DD,SHA256=710BA1F91BEE1EFC931ED30D5255A69489177E92DA26D84E6C287ED368B0433A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:32.814{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E992BB636150BC3EAF8882203757768,SHA256=8A8E99F9844E91711A54A2E99F3640E65CD6EFC8F0D314AA3C87DDBE505BB652,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:32.532{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C52BF8D29098C871F0B9EAEF46139D9,SHA256=FF2D83B3BB635EE434E2DBDFB43774811608A35BC66413B80E95588F3388D44C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:32.039{AF4EC832-6B63-6442-0D00-00000000DC02}8964028C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:32.039{AF4EC832-6B63-6442-0D00-00000000DC02}8964028C:\Windows\system32\svchost.exe{AF4EC832-717D-6442-1605-00000000DC02}1204C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:32.039{AF4EC832-6B63-6442-0D00-00000000DC02}8964028C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:32.039{AF4EC832-6B63-6442-0D00-00000000DC02}8964028C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2100-00000000DC02}2448C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:33.565{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=229032D97D4EA72B82BCE8A400EABA82,SHA256=1899AF9F0D016C8661850F80B84EB5318408843E9ECE9296387313BAB3EBE7F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:30.272{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51671-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:33.882{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB491FA4FF2E5D9902B4DF7583A055D,SHA256=AD99EBF0DCD7E7E12068D9E56E7D822F8C2188901D5197F96B201141CEB31E3A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:32.365{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50455-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:34.635{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F224DAD15BFB3F219E09B6CBBEEF5A4E,SHA256=1919986063971B66CB802C5FA9409899A2C8C01CA62031E3D3554E6C2F101C19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:34.967{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BA84E69ECAC5191BDEBBD498AE6A08,SHA256=90AD0903E901A5A3352937424C91516440AF9F83D5D08D42D0382FF95084ABC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:30.751{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local138netbios-dgm 354300x800000000000000027733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:30.751{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x800000000000000022629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:35.652{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF1D6CB801AE44BBEB3628268624FA5A,SHA256=63979E02F6FA5198D580E4E8E892BBB34B379661B4A939729CBAF60E0FD31E0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.143{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:36.753{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B42DDA4C9F4BE7E627D1C0961B4D43,SHA256=95BA17837C6642D13098EA06878D651E8C436F54E78CCEF5DF724A93B16675F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:36.117{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3657BB4FB885AD6AFC2A9C736C0EF8C4,SHA256=F89EB0DB4A2A09155100A80067EEA77BF905795750D34E8C800C187F55C38FE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:37.823{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4AA3AFAD1BA42683129F2D9C4706A4,SHA256=9AAE63927323AB7ABF2457C28432AC7A04A83484AB065F387F85EE221F61BBAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:37.219{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4094E12E2A7C7B7EF10BAB9FFD0543BA,SHA256=31E8210FDB7CF37245E3DF90E1A29B8BB95A47B2BDDCC1BEAFA4A2A83E74EF11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:38.871{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB72A050F2299C1E36676BBAE78732C,SHA256=45BD0C349E09F43A4C822036AF58DEAAB5D325F51083C01D7E436C08875458AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:35.277{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51672-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:38.346{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=292286E4C6BD988892DC6B04CC4F9BBC,SHA256=7AF28796A8E02E84A580FDEC92B94EE7AF4FAB6E08A174FA238DBE5471BC4171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:39.972{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCAC170F1D427B0C7D0740CE224A0DD,SHA256=5B1DC07CD31F0AD725DEC643FBE4622BDA2AC608F8EC73CD02796C7AD61A77D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:39.473{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31C498A4CA59FCFD2F50ECABF1F76880,SHA256=1E6BC2E8611597296CBEE702E812C9F24A26A72E5CE41ED6040D60D192B815DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:40.550{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8BD9EBB7DF9074197A7C027FDED5B1,SHA256=31B1773CE1C09AA11FADCAC387D350A90B003B55234E50F30C9C53E1E13B042A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:41.650{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D231C037815424998044E4A0532EA49F,SHA256=1D6957A9B029FA6BD5662CC25055DE4526CC60A856D3B54EB7D3FE1180D47669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:41.073{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1475876086F0707B0E6E2119ADAC7BC2,SHA256=72C08A0CEE94AA15BF043BDD511859C1B13D8021C08AC468641272CED805A4D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:42.777{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4702FEFF23E271935BB3B350E8E0478E,SHA256=820FB7FDB60DDA702D9918406F0D12410EE9DC46154CC9D9C19A92A63E3604E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:38.322{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50456-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:42.174{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A1ACC4018658E43DD9992BF9B739D48,SHA256=BA5B8A72F4E6F12A3C1598A0DFF46666D5923E337ABE416A4EC8CC3279CE5E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:43.952{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F7A3BEB13D799CE19E452913C24DEF,SHA256=DC8B52E1E6D29C10D90C1860654E83A03FD6184CD1F9FCF58F45EF987140E31D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:43.260{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81F5AA7E51B3E1A9EFD48A52A4D8AD9E,SHA256=AE9C95ABEE52573416DA6830DCA94DFFF46D1340F107B5F76C11592ED8834D12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:44.314{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEDA50F842314875FDCACEC8DB3DBDC5,SHA256=2F7E6C12CF4454452EF2DFF55F3EF554FA1DF44272C6BDB60BBA6182F032FE6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:40.314{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51673-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:45.416{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA28B3120C76A6D032DA0F6DB157EE72,SHA256=2D41E27B7B7F9F8033F85707E0B53C5A1BBF8F351E8393EE7B313967C9E1627D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:45.010{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=158AC0A58760267651D6F164E704A6A8,SHA256=16695729459070B11982D62C222ECB02FA090F0855CA5CEF166617986868EA18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:46.701{223CB5FF-718D-6442-6A01-00000000DD02}35963148C:\Windows\Explorer.EXE{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+d30b0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801B85081E8)|UNKNOWN(FFFF864080E77DA8)|UNKNOWN(FFFF864080E77F27)|UNKNOWN(FFFF864080E725B1)|UNKNOWN(FFFF864080E73F7A)|UNKNOWN(FFFF864080E72236)|UNKNOWN(FFFFF801B8176D03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d690b|C:\Windows\System32\SHELL32.dll+11d7ba|C:\Windows\System32\SHCORE.dll+33fbd 10341000x800000000000000022646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:46.701{223CB5FF-718D-6442-6A01-00000000DD02}35963148C:\Windows\Explorer.EXE{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+d2b91|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801B85081E8)|UNKNOWN(FFFF864080E77DA8)|UNKNOWN(FFFF864080E77F27)|UNKNOWN(FFFF864080E725B1)|UNKNOWN(FFFF864080E73F7A)|UNKNOWN(FFFF864080E72236)|UNKNOWN(FFFFF801B8176D03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d690b|C:\Windows\System32\SHELL32.dll+11d7ba|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:46.701{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF2f5fbf.TMPMD5=E8C95C0323BE7CCD9EB117E12775460A,SHA256=5B51629C9D0B874061143DF8659E57E1A50CF449C0146525A6EB2E3CE782E510,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:46.533{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDF457C3F2D1A0A240F647C12597685C,SHA256=A691403445890BB20A9021694CC6A77F3CF66A3EEAD7FFA872914526F3628A59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:46.597{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1500-00000000DC02}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:46.597{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1500-00000000DC02}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:46.597{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1500-00000000DC02}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:46.054{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72758C980EFA737E4C3041633FDA1A4E,SHA256=4D33FDCC5473CD589D85004923064B3B2E1C3C201F9871D0479DC68A962B51EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:46.217{223CB5FF-6DE2-6442-0D00-00000000DD02}7927048C:\Windows\system32\svchost.exe{223CB5FF-718C-6442-6301-00000000DD02}2504C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:46.217{223CB5FF-6DE2-6442-0D00-00000000DD02}7927048C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1100-00000000DD02}968C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:46.217{223CB5FF-6DE2-6442-0D00-00000000DD02}7927048C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1A00-00000000DD02}1928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000022640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:43.477{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50457-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:47.665{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9928EF56A56495D2545B7E18B960763C,SHA256=ED8F214274D076EB5896940DF9D453B900019AF8D11921BABDAA810789EF7FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:47.281{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=F6EDCBCFB2AFAFF9BDFDCD7049898CC8,SHA256=B5928744DCFAC0F05C24C40B2C957F148A2EA218219C793362E8348F469DEF6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:47.097{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54BA30C2AF6538AEB36405CEB10B263D,SHA256=A1B975F6EBB56DADE96B2053F312E69DF172E0DEB5443DDB6E9F0BDF31A85C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:48.800{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C1DE8E36203389A360330860FFC81B6,SHA256=9FD7BD79100207BD8B6DB59AA7DAB6DC29334C1E8BACE2B66F9AA358A01F4436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:48.213{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1038074514E4A12008638365F6BF7D,SHA256=892CE3DCBC5EB5142EBCB0B19E23376E6F3514EBD3DB891431F0C3CDF4EB5C43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:49.868{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B004A9517163DC1ED72A89C200958828,SHA256=7BE62D511244F2467C799D6B30065C0C9175CDE23ECA9AAD3EC4AE4844E7576A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:49.332{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16096631DFA7D17E9F25B98380C1FB7F,SHA256=7C32441263E3CC443E4BDF1B8ED7AE9ADE518851DE16197C8662E633DB3C6380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:50.885{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79FEE2D4AA93F0DB5D31E6529824C113,SHA256=AD57E8768071F077E0FDA6492B2623A5403975181CD65D53EDC970E4DA3DE25C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:50.434{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F3DD0788DAF816677FC02E624C9F599,SHA256=09DA47957C439674B2DA2A49291A695D62BBB3F4977009073AF1110CC2FDF962,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:46.138{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51674-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:51.954{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687143CC0D6D308D49131CB300F3909C,SHA256=29164DD263E6266C1BDA3831B7985C94549024907A9390EBD8277ED9AF529B6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:51.485{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098F98429449F33C656FC29B5C71C0AE,SHA256=CE4D071BD2EE32EE3D44DE03004B57C69F50C1D4E9D56FD43C569F8F8B26B7F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:48.481{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50458-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:52.986{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0E4133358EFCDA0790EEDA2F473A2C,SHA256=1F24E8F0831B32BA3C24869DA7AFF370A95C6351B5BE67E65AA9DC281A16818F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:52.602{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696B457F2D12398D9C6CC7FF0A6ADED0,SHA256=82C534C3929FD51E0D43A29962AED0B11AAEFF839934E0505A388F6BAFF76C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:53.663{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3DD4D0C5939FBF2A80F804D458F152,SHA256=57A86271E8D2F9FDAD2C570AB306776A60BA69340934882D425981C4AF8A87CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:54.789{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACDE17E9243CEB168C4BF3CE2334777A,SHA256=AE98F3483C05920BD7C9D4568F9EB20CD2488C8E7CF9B853A5E88DFBC09AFA00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:54.087{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADD05DF4095F11BC2496984C3294C4CE,SHA256=06487E941BF42B375506886A17C89E8FA727C98A59248C719C2FE007616EBF03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:55.865{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7674F1E102971631D5A558E986A6BCEA,SHA256=BE6500636E965CC3A025FB2DD9E48AC7563E8EF9B40A70392A6B116F5E8E9DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:55.173{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B7291ABB5DE9345F6604582905C9EF,SHA256=72BB715A7138684FF6B3E28D189101B0E59AE02E140E2F80565A45BF676BB872,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:51.207{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51675-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:56.976{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F0D7E4A7918959FD242DEEE54A5ADBA,SHA256=AAB414919A66C5F48595A167C06E9FD8FCFE2422434DDD008857D66B29875EFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:53.488{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50459-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000022665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:56.342{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A08-6442-0703-00000000DD02}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:56.342{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:56.342{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:56.342{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:56.342{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:56.342{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7A08-6442-0703-00000000DD02}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:56.342{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A08-6442-0703-00000000DD02}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:56.343{223CB5FF-7A08-6442-0703-00000000DD02}760C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:56.273{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795C0CE8C67160F2430D300CB59925DA,SHA256=8767AEAD0D2D384E25C1A1D57B6418F98873CA091B0F01FF17743760A35F4530,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.929{223CB5FF-7A09-6442-0903-00000000DD02}61521072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.745{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A09-6442-0903-00000000DD02}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.745{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.745{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.745{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.745{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.745{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7A09-6442-0903-00000000DD02}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.745{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A09-6442-0903-00000000DD02}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.746{223CB5FF-7A09-6442-0903-00000000DD02}6152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.429{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E625B5D26B6A11144B01CE13F9A46D59,SHA256=3674CD0B1E643E4262CD85EB48156F6BB3028593F741282DEEF3D8EC5F3A5902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.429{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B87EBCAF4A386A5A1606F10A29D4753E,SHA256=A32F7DB272774CFB9C43750666B5A993CF96C3C6B20A6DCB084171A6E3105A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.329{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075567CEE2A926F5A67A47CB47372B57,SHA256=3E1DF9B56D735FB1F1C4BC648762933030CF1DB563B52654D762232780D8AA6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.258{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A09-6442-0803-00000000DD02}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.258{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.258{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.258{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.258{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.258{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7A09-6442-0803-00000000DD02}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.258{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A09-6442-0803-00000000DD02}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:57.259{223CB5FF-7A09-6442-0803-00000000DD02}5444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:58.777{223CB5FF-7A0A-6442-0A03-00000000DD02}62646448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:58.561{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A0A-6442-0A03-00000000DD02}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:58.561{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:58.561{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:58.561{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:58.561{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:58.561{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7A0A-6442-0A03-00000000DD02}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:58.561{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A0A-6442-0A03-00000000DD02}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:58.562{223CB5FF-7A0A-6442-0A03-00000000DD02}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:58.430{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA24F40C3E89D2DC539D22D295E149B6,SHA256=08765A5D6A836B048509F8BCBD08ABA1100FEB9E29733CF3E637ABA8448060C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:58.078{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD246B68E3688981E8D2136799FD2C5B,SHA256=1F1E854821AD1B11C7EA443D1DFB49B6C58293920975F5DF64B9CE9412A36280,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:59.446{223CB5FF-7A0B-6442-0B03-00000000DD02}70726148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:59.430{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5860FC7E00C23B9B07BF8E6344B8A656,SHA256=B5866D99ABF384D8E91731FC7C0E045FFD09804778E9A9F4E31238EB4346DB06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:59.526{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2794F1D4E76987B89AD1BF70A9E37571,SHA256=39426D4A19E225E4232254199E212B4321FD2AD31FFE3AC23DCB49EE20C4D9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:59.110{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFFE7A03A6353D4056137531C572D2C6,SHA256=62F2B4F0FC03B0B151071FC5F674CC68838916AE3C777FD1D561DD53257A315E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:59.230{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A0B-6442-0B03-00000000DD02}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:59.230{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:59.230{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:59.230{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:59.230{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:59.230{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7A0B-6442-0B03-00000000DD02}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:59.230{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A0B-6442-0B03-00000000DD02}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:59.231{223CB5FF-7A0B-6442-0B03-00000000DD02}7072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:00.870{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A0C-6442-0C03-00000000DD02}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:00.870{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:00.870{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:00.870{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:00.870{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:00.870{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7A0C-6442-0C03-00000000DD02}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:00.870{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A0C-6442-0C03-00000000DD02}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:00.871{223CB5FF-7A0C-6442-0C03-00000000DD02}4580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:00.531{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D07250958A972ACB61D6C109BD9B07,SHA256=D871AAF96501113D633E1CC71A517E8D1CDB6839E679EC7C034EE5A5DCA5C1BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:56.545{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51676-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:56.545{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51676-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000027798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:00.147{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73321B030C9BBDD2010D4772A4749643,SHA256=7A69C88800306BAE67A934B24FB6982A03D3F2724FEF6EB70076429008EB26F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:01.624{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B7D58A84EFDDF1BBC040CE6C525FD0,SHA256=88D9F62D545E6296551A3E5064D12E7D44CD8E4B50CDF8D4FD89BFCF506371E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:01.540{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A0D-6442-0D03-00000000DD02}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:01.540{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:01.540{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:01.540{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:01.540{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:01.540{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7A0D-6442-0D03-00000000DD02}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:01.540{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A0D-6442-0D03-00000000DD02}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:01.541{223CB5FF-7A0D-6442-0D03-00000000DD02}6592C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000027802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:56:57.174{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51677-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:01.281{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51235F99D9B72E5B7A7294EAC030E3E6,SHA256=2DEA9A684C06350818E90CF79E715AD2A2CA05763113B59091C3E3DC2B2028AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:01.118{223CB5FF-7A0C-6442-0C03-00000000DD02}45804804C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:02.641{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB8F7AD6C2216DD4D0FBCC12FD84B939,SHA256=8E9D7D24CA96BE84B76E7FD5C76AD8D0FE041A4437FDDAE173A1C4BC1E5CA395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:02.413{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69420A661BA3DAD90B7442651E7352C,SHA256=E4E0190DC9F8F6B704437EBE218F7C1900C5C50F47C39C359DC266B2001B830C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:56:59.343{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50460-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:03.758{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121D713BCA185480C1A75F77711A99F9,SHA256=ED07D3EE71A2E1C536806749AD88C7A306B721E8BBC90FC72F52E98E56787187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:03.430{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C008B47FD8609FE5272D991A041B0D,SHA256=0416794A4D531611081FD7EBBEC1DE6BB250F64BA6D3D086159773B1206D608E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:04.774{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DBCA4C10370B0F38F3799EC26B98301,SHA256=B1A95FE94A41C6FD88B20F8A03D85807515D90E8DED333AD42E5B03D071F1594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:04.575{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771E1EFEDCFC4B95C3AD33170A55DF9B,SHA256=FE60A48D56EF4E3683B8A03512ED155F46D6BEBC4025B83A33D7BF0E9B42891D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:05.806{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C876A8B2A748F7B1FD1A918FCADF2BB,SHA256=2BC8D819F429FDB13D159F7648F2FF191D12B5A1E9B23D4B6E58765FF65A76B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:05.633{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE59B9388ACF9078F4FA3C1FD5EEA67,SHA256=56B4831A0E46EB442CA27895E0CC50F7DE3E8D822DBC987EF71E911CEDA0D3A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:02.188{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51678-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:06.907{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA4902D91B4185CBFC9D7799311877D0,SHA256=73757275F63F304B409A2E084DC1A63934C759FB27E8581F982FBB01AF13EB99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:06.652{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=867576019639139512E92AAB7E1DCDB6,SHA256=BAAD33C6B34DFD66334E6BA5FA74B92CF93184E72C0E59FD1D56A8DC8E125668,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:04.506{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50461-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:07.920{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4312DA97EBE70889492064A4C8E514B,SHA256=A808EFEAF2F371FD423D1441215F5D27A960EDCAA832C08D0B6F638C119D3F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:07.804{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6627C742C1254F73AA4E52D7213039DE,SHA256=A1F0D6DC26C1D1006A8913445F1E905C9DEF2BB1A0F4C72AEE3189138770B7B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:07.924{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6E9BA44C353F491521D9CF12390B17FC,SHA256=208569679DA7F821CE2C424FDD154A9C16A3AA212AE760299992ED732C23E988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:08.821{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AAC4B3007D540DD2176EB223B80E00F,SHA256=D01C8B1DAACCB98ABA143FF81F9AFD57D32484A9BF0D58CF78CD3EDC264FF479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:08.045{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7DB444C78E2471F1A978E47E36FDD4,SHA256=595449566433EC54527C3BF30DAD51A44058EF899F5751A354F66217A94E2BB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:09.939{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FB99B8B347C3CC9EAB9CA451EDB6138,SHA256=024483BDE36EB073E2989EE8A3AE43C116400F331E3D2D63525598C2EDAF023A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:09.162{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BC42FC8D7831C9C533136A3444F180A,SHA256=43F1C3265870D57E3065D7883DF5061A2BAF43C4495E3AB6233E8312A9E88C29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:10.463{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1400-00000000DD02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:10.463{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1400-00000000DD02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:10.463{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1400-00000000DD02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:10.247{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB50D190B36152FBD2713BD9E974B206,SHA256=4E031CC1414640A8C11924DE87E36AAC392A60849890A5278D44B1B71E8AB6C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:07.240{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51679-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:11.348{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2991F88F9F5871DDA166AC4268EC22A4,SHA256=B85E2CD50B46FAD73BA0BA69B4B6987B34961D4BF12B92BE7E01BE7C790FA27F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:11.085{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=697952308DD19C1ED8F7BDEFB0E834FC,SHA256=7E3AB787DE5E82B0C4230E0A31D213080058EDC30C9B35FD1721E51BF9CBD2C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:10.329{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50462-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:12.465{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20568352F8E51D2DB4B0F0578F8F7718,SHA256=A7808C6AEEF50C8199D64FD6AF0979F22E81501BD800F795B63E7E8CC845BB15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:12.211{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E461F3F767BC5B4BADFA799F94318A9,SHA256=5171F9ABBD23C8F73C13634E97EDC3B248278F993989A53FBED3877F9195383F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:13.566{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0538DBD8679883AD0FADAD42278051E6,SHA256=3E711C7ECDF4B7861BEAC1FAA80F94E2CA0CAB0FD396C928137E37585DBDC932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:13.228{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14E584FA1F22A62743440DA132E85D29,SHA256=2327F0801884785436E6AFC5CDE57E61E68C753A5E05C3F8D47814A464F584D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:14.632{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D805574D238C95E90868E448E0F5986,SHA256=7BA4BB9B26670671973DC6ECE6DF9BB279EB83C245B19445703280DB8E97C9DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:14.329{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8743DF8F40C8144B92DD30C9A2C457B9,SHA256=D82875B505D7D321F3A715DB36A4E233E99E575A103D2C5FCA8D9BC05D521408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:15.733{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5566E1EAC764889E5139A1DDE08DFAF1,SHA256=2FA398887F24851F362EFD472E3159198B6022F84BF80222BF4E36E2B5F70EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:15.433{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08C392778747706BF82948CB28F981E6,SHA256=D752E2F120D7BEC3E45D7C884F6361BA91AEC8866CAF40C10BFD0FC461E6B4F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:15.116{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A1B-6442-5E06-00000000DC02}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:15.116{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:15.116{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:15.116{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:15.116{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:15.116{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7A1B-6442-5E06-00000000DC02}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:15.116{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A1B-6442-5E06-00000000DC02}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:15.117{AF4EC832-7A1B-6442-5E06-00000000DC02}6216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:16.785{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7FAA16860F597E40DB8AE5BAF6C4CF3,SHA256=D94796381BDFB74C9A3F4A4DB95C4D872195F15C96511BA16528B608EE0A5D46,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:13.203{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51680-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:16.519{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6898BAB78255AC858192124CE655F588,SHA256=8A258DAEC7AA0E52E55B2EF80273D9D68ADFD486556C079F33F4D5371C8F8EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:16.149{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=833630622B849D4DCC35403E9F8BAAAC,SHA256=C2565F1ACFF9A74E36F3204D008CA4793043B491EA9D5CDDE67501F79396B9FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:17.917{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8DAEAFBC2748063794F0212C034D505,SHA256=4EC818964A23BA0DDB0F488C40F5B362257F6523180995E02C02383A70146E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.839{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-060MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.695{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A1D-6442-6006-00000000DC02}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.695{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.695{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.695{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.695{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.695{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7A1D-6442-6006-00000000DC02}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.695{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A1D-6442-6006-00000000DC02}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.696{AF4EC832-7A1D-6442-6006-00000000DC02}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.604{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B6F8D273717FD6A62439033C670A2D0,SHA256=B2F050C91A1AF904DCAC79B16D57AB3E712912D24C6D15F93F2528DA67B9A319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.551{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A22AE0984D4E296AF2B9FEEEE6EAE0A2,SHA256=607311E67AC3168FB716329E3EAF24719C67147D67D4B0DEB51E2B267FA18694,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.304{AF4EC832-7A1D-6442-5F06-00000000DC02}39404360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.104{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A1D-6442-5F06-00000000DC02}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.104{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.104{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.104{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.104{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.104{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7A1D-6442-5F06-00000000DC02}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.104{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A1D-6442-5F06-00000000DC02}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:17.105{AF4EC832-7A1D-6442-5F06-00000000DC02}3940C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:18.987{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C1C3856B21CC6B3620B15C378EFD870,SHA256=60AA1B7380D3C158F6CD86E60A691AA8FBE78DE23572498594917538ECCE1617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:18.837{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-061MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:18.605{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=054A639CACDD1FC8AD31DAFF1505CD57,SHA256=C6FEC928944A40107BC6A098E623C41863766217EC82CA8FAFE7B2E0515DB19F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:16.335{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50463-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000027858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:18.504{AF4EC832-7A1E-6442-6106-00000000DC02}65286524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:18.295{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A1E-6442-6106-00000000DC02}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:18.295{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:18.295{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:18.295{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:18.295{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:18.295{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7A1E-6442-6106-00000000DC02}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:18.295{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A1E-6442-6106-00000000DC02}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:18.297{AF4EC832-7A1E-6442-6106-00000000DC02}6528C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.837{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A1F-6442-6306-00000000DC02}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.837{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.837{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.837{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7A1F-6442-6306-00000000DC02}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.837{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.837{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.837{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A1F-6442-6306-00000000DC02}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.839{AF4EC832-7A1F-6442-6306-00000000DC02}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.680{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19F37D8F62F201114760A55E6C063DC8,SHA256=56688EDCD368CC0E41BC8D049EBC7418B360B368A33258BD49157DEE8F94F785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:19.403{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.481{AF4EC832-7A1F-6442-6206-00000000DC02}38126268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.272{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A1F-6442-6206-00000000DC02}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.270{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.270{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.270{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.270{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.270{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7A1F-6442-6206-00000000DC02}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.269{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A1F-6442-6206-00000000DC02}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.269{AF4EC832-7A1F-6442-6206-00000000DC02}3812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:20.783{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7855D5ABB8EBCAFEC17A6C2694221C3D,SHA256=0F26406B49CE1F4384B5114DC9A66E0C1688FC8F3A966B99CFBFA9B8613580FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:18.668{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50464-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000022751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:20.088{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F9D9449A13C940FDEFB09C1B63E74F1,SHA256=80777AA994E12659782191E94E020E7238E1D3DDD08B8F93658A65E3045C0E77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:20.338{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A20-6442-6406-00000000DC02}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:20.338{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:20.338{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:20.338{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:20.338{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:20.338{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7A20-6442-6406-00000000DC02}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:20.338{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A20-6442-6406-00000000DC02}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:20.341{AF4EC832-7A20-6442-6406-00000000DC02}1908C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:20.072{AF4EC832-7A1F-6442-6306-00000000DC02}36405528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:21.815{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA4AEF7F4EBF9A12A112958BF522B1D,SHA256=1AB4F3C57D12229F4272147FA376BDD04B1B3A642A1A25E8178BB9951B933B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:21.189{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F22E41D38956008F0FB82D377DC1DC,SHA256=FC25C8EF70BD48AED12037614857BCA862BF998AA72AF57872C0B82384B2AB46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:22.859{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2576A73F79383EA75BD96B4C77563DF6,SHA256=97561480D5FC7B6CEDFB28122F97B2245B30A5423DE6AD64A6BD1D21075D380E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:22.306{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27C09FC1998418A858DAEDE8FD10CCAE,SHA256=0EEB4578C159D42DE18DA9150C60AE31151F959143E67547608ADED824F4AE8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:19.185{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51681-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:23.883{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF8709DDE14C90A358F0E923735DD9F,SHA256=4B91436CA9A5160535027E84B1F61B6B825727B6264673CA78A6C6D34B217958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:23.391{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF47EEFDD7E3B30963E985848D3FA9DE,SHA256=28BF6677EB657E090FC7261D1C11B438A03158EBED7BD740B9E6A58E1EBBEC9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:24.958{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EEADF68B968A404A919740A01651FB9,SHA256=9CE368BC1CB4755DFF7F624C3919E8C775348F904007460E39C1A002EE501BF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:22.321{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50465-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:24.508{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D996564270A704F9A2CF46CE1F6F5208,SHA256=A6CCAD16E010002C5EBFBA563F52B7282E59DB42B0669B3F5952323447527FEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:25.624{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C699A994CD25ABA25EA1626EF68AC31,SHA256=200E30EFA3CDE8DDB8015D075519C9F42A11EF43C908012D61CA00D0BD0DF3B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:26.981{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-050MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:26.725{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A66313A3A7EA3CE9766048DE2352EE,SHA256=B44762DD892D8BAB1A2643EEC5147CE8B204962CB73932120EFAA3D94F9C9071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:26.013{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27CA97ED832A0760E05CBD186371F7A1,SHA256=0B2888344FD558BD121CCDEF9122354BE99B1CEF3BCF6EF77393B9072CF51DAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:27.980{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-051MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:27.763{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44FA998395F997240D8053636126D456,SHA256=F3D10368EEEFB8B511B871D24C9C7BFE7AD493F7D90A1BD57630654F3413B693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:27.482{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:27.131{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB56BD7BA077620538ED59A6D7D56EBB,SHA256=7521EE37CBCB2AAFC1270F102D76F80895FF65CF0475D562118FFAAD5E7C006D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:27.463{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=341C42F751290D7E110D4DA030CF946C,SHA256=5B6449D9BD705A48A4BAFD6EE8FFB6EAF8DDC160BAF178F0453AAD5FEE771AA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:28.879{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A90E82BDAA37F6C7EC3FE4F09FDDB504,SHA256=06B4A7A293BFB5DA81225EDDB2A3BAA55A49A334FB10D6969186751A03FF05CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:28.197{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58CC009E04642B13FC3A205062033B50,SHA256=1EB239C1BCDBC2A6A39996BDE327D7876BF131432DB9FE8727790AE2D3349DBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:29.996{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=922D5B1FC718CDE6230C70B0D0A6F18A,SHA256=50ADA6215A212EAB5E5FE112F6C1EF9752524E8AC3158D094A6700F46A093461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:29.256{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87572C17DC05E5C040D169DC1A4B6E4E,SHA256=C6B11CE18D6A5DD062A683D5D3397C34517C4EB3C0832405B96A3E4D243F5963,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:25.167{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51682-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:30.312{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92287B40C3FCEDBD30414CC8D2518645,SHA256=FCA04ABF55B03157F8F2E194DC891C2C5F4FBD1F36144CBDB65A973946A9032E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:30.280{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=47A87641245CD3748EDC0369F55AD765,SHA256=10DDFC3F915A19B83A49058E50876E01D2255F463B4290E82715E57F4EA6C50E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:27.522{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50466-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000027900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:25.558{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51683-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000027903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:31.329{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=365FEAAFA773BC060685671303C047E4,SHA256=CF04B23B0FEE03057AB3774646ED1D649C36E224D4A61F652EF74222DFAB4816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:31.113{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1A20ECA7C6FB60BF81812BDBBAC036,SHA256=759F48206C8C3CBE092A51A94D2DAD7083F60EA743BB0884E4F135D55213505F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:32.497{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F97AC157A2D8384998C3C7F7AFEF50,SHA256=FBA489DA7B5E7A15053A78DEA62D60B50A5CE0AC3C35478C76D560B7C78EDBD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:32.199{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC031A25D8273AF913C5B5876960B042,SHA256=B063F2A44C7DBA1D09A581627C4AB7164FABF7A4FA1A6CA31CC2CB541D03DE9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:33.656{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71BC67FA1882928E0AC9E969AD20D32,SHA256=79F0322E5E33DB70E988648796F090E196A23F890DC3E07C7C3F144100C8C4B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.700{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.268{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=537AA3A4886E705A26510AC15083E8AC,SHA256=A1FA257CEC3E35D98FD5E475BDBD67C9C798572CA4E81559422E5C8D72D0C5DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:34.570{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A23A7772734D086F343B5CED069CE36,SHA256=4FAA4A4A6CB6E9692E4532F3C1A8C56D2138A56DB3D4D14E35E4EB9890201F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:34.711{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A2D035973D01B2300A8E920B1EC31A,SHA256=DD76E24A95CDA6A7D7A0FC3BAA485F05B2DF28A5FC1504E17A80BAB4F40A9F2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:33.366{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50467-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:35.651{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF42A8DB94AFB0ECED9225EA029DE2E,SHA256=15EC8F7FC80DF3225D509EDEEEF0E8CFB5897670C5D93576D1C7164DA300F4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:35.729{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8FD850D87BA9761AA755987BE5FE70,SHA256=80C6E61B5F3731B17CFCB5657E7876C97FC2ECE9087392F0149051B87AB981A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:31.196{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51684-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:36.753{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC83BF157BE1DDAD5908E1884A78C9E,SHA256=58FBB94020D086A91B8A31C11C573569A89F81CA78448C293A50D6D370A07584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:36.894{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5034F196962B0BA9F2C562CE4D555A6B,SHA256=273FC5430BE93AD9C1737B8A526F02BAB0AFB66091AA9ABCCDCE51E94AED09B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:37.835{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001A9568B582566F9F504C67FDC0D618,SHA256=4EE75D6EA6A950C3F4559193117F7BC2A765B3F207A19E793A921806CF3A8F05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:38.907{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B1984A84636F9CCED142057533A720,SHA256=B6F0E6B9077BDEEEB287FCBA0C31EECFD1D22D0EDEC5B5E056BCB550C0F9AB38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:38.026{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0966A3C08AE089115C85985DE0C7025D,SHA256=59FB480EF9C831C0DED5F0C6E517B61C8765555821E84B8E5A3B2BFE9BE944F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:36.253{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51685-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:39.077{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EE1BF6EF517369933BB4DD630B9CAD,SHA256=6A51EA3374DC65314AB3DFB319BCF27E96B03D68D079E7EE2460D6C259D27A20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:40.008{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=949DD6A2595D5D448EC79B989524FDE3,SHA256=46F870971D77182F9206703DE22FFB8BB3F801CBF2C33E682CDA423D72CED548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:40.126{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D75208F2A0E9CEC87761F9D6B9391237,SHA256=6E48A0EC7EA70363C0D5FE4764AF538388E3C23BAB51112A1F690CF288632F8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:41.109{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC928ECF13B2D1B035A6A735207D5D6,SHA256=DDFC7A97FA6F4BFFD0E871125CCB274716FBD1B3C99550F864CAD316707EA33A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:41.176{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E6FFE81F4923F1BCC818F2A755B5F50,SHA256=97C7F67031FC28F5C8CD90CF00CE216C143391274E75578256DF1B32EC998FEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:38.434{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50468-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:42.194{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=776CECB5A0B399EB9279DDAD57EBC442,SHA256=4298EC3B491D434EBF2E1481A1FB450B1372E8523E794D2CB99DFE9915F57293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:42.307{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4F719753DCFE938E3875B2A7E70E24,SHA256=A8EAA31E25EE35623F5DCDA4D590AD74F63676EE6B005FEDD9A500E792B33333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:43.294{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE7EBFFAFE40899B5A21F928F78BD798,SHA256=DBB35168B7DFBBDC585A91B0CE0AD74FE3DF02B2B66D42FABC23F56D4BAC2751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:43.350{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F14E48AA1E88D6EF2259443203D820E,SHA256=8D093CF5406A2A1FBC85461D9C5637FE6A16EA7B579293B53950F567DFE75D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:44.406{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1620B864364D0462276A56CED7F948C8,SHA256=DA6FA52EA77C3B8BCFBF34E348D6263921960BE991763F90014D269DF2CC3823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:44.357{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B30C9D6DAF57E6F1A7B78027F5C2D92,SHA256=3E1C140E0AA376091ED9C6829C92B2E0049AFF620AB54D65F598F51CFC3F2224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:45.408{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164E2DCBFFADF743BFF3155EF874B101,SHA256=37FEA03478507B6EC76E7547F254E176254BB316C4B9931E2A113FD3BCDE6FE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:45.450{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB12E7413F8D56424FE21C6ED58C8FE9,SHA256=EF8AFE029D3E3FB3CE391842B1408D54EAA53CB4CEA1072EF256E725BA8DDBEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:41.320{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51686-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:46.556{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76975C28CC86AC4EB32C03434C74975,SHA256=3225DD53C4CA1A29CE9BF870D90EA6653BE814E77A109923A27E03EEA55FD6CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:46.505{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7DA54D3D2135D628DE455094D0B16E0,SHA256=4446C4418F0ADD15F585686C06490C3B15DC86909D61D9940458A90403900A56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:43.536{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50469-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:47.606{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05594DA452D21AD96E05D4D6C2776AB6,SHA256=E23F2D09A363DB9C83923DD6E55353472D848B2D87A71A92800BB3755495A9BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:47.604{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FA85E8033EE6B2D20CA97DE1359A3A53,SHA256=12829C2F0240C38D3E827EE166EBD06F6FFCD4249D3ED5CDDB3689437F0D3A17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:47.557{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F54313EBC6DB6BB0DD5407C787521E0,SHA256=B7B9ED5F434DF5BFAE74584E301EEE5BCF664F5F4F3491689135B3C18955A0B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:48.774{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6239DBBA9B997B02D86D1C14E5E7FE,SHA256=C0C69FB36E409B6E2443CD0793974A2EC9F3439E92A8A169BB2649597DD400F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:48.603{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53770469FBF84099FCE1550C2681D0A7,SHA256=18F92A0E3935D4BD33A6A8B26C7067BCE63505B873F3F11472EFE26709253415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:49.820{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=776FD1FD9E8E61464056DDF1144ACFBA,SHA256=0F369188B7FFCADA6C52BDA95F89C203FA89014E6E6FC731983FAE2961C9C9A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:49.671{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FE1B0EC873A4EBEC0D35C99528A9A8,SHA256=5B12F95086FE4989D789AD2C8237EC2170E7A39E9B3FC53D63AFFCB7E10737A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:50.888{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C2B174E4E4B27D3AC54D1F296A57831,SHA256=8957CF38E0B6534D71B48C74E6A0D2B652EA70DA3E08470B5584031304AECD8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:50.719{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7D5BB9DA7C60B805FD1FAA0F1EFEDA,SHA256=154235162ABE89F0A3022863A2684179E77937E4283A9BF6A0DFDEB81D30E725,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:50.604{223CB5FF-6DE2-6442-0D00-00000000DD02}7927048C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1500-00000000DD02}1104C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000027925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:47.169{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51687-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:51.819{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7541F3B7BBA3C1E1D72E5B7088771FF,SHA256=72DCF7C872DE2991430AAA8A13D368E100E70602C12B1C1E286522475DCC4B8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:49.468{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50470-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:52.901{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CB8286BF2CEA5E3D144295AD9A315F,SHA256=4BA5639E7363B53E6D67EF9025167514B7AA13E6CD0DC54054D63BDFF0EA8721,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:52.003{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5277889BF3B6B6EE406BE19802CD487A,SHA256=5819541B84444E1E4FCC6CA764714962737E33C1E92C2ECD7BC537546B611967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:53.968{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF0A12D2A8FD6BEDAD12775965C26C6,SHA256=FBC7A916506B1D1CF74D72DED67DA8974CB29A67A0FB12CFAFD00AD4588A6C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:53.052{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=590C3529E6DC472F8177FA6CDB9EA5FC,SHA256=9A7C028984F62B19602F235C30A4DF5869E6BA733D7469A9F2A57AB9906D2333,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:51.853{223CB5FF-767E-6442-4F02-00000000DD02}3744C:\Program Files\Google\Chrome\Application\chrome.exeWIN-HOST-CTUS-A\Administratorudptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50425-false239.255.255.250-1900ssdp 23542300x800000000000000022823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:54.155{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758B759B63C9C78495C190C00ABE0860,SHA256=5F1949D39613F792D57DF4EBE1A6C74BB41333904391051D0D2D3557CE122AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:55.275{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=914DB88C9BF825553A80D3D3AC3DA1DC,SHA256=B19E764B5FB1B1EE9E30CF7D1767EB71FBBA477E66E92A68645FD7007C2596FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:55.043{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F6B109654E9EE6C3B05F38464CADC0,SHA256=9D113C137E119DFE0E404E5D1F53114E3B89C55AC4BACE66F3891A00E15F7793,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:56.356{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A44-6442-0E03-00000000DD02}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:56.355{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:56.355{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:56.354{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:56.354{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:56.354{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7A44-6442-0E03-00000000DD02}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:56.354{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A44-6442-0E03-00000000DD02}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:56.353{223CB5FF-7A44-6442-0E03-00000000DD02}6612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:56.337{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33F5F4AB40B09921EA2E3CAE97FB3DDF,SHA256=E46957EF954618EBA677759A3A0B53EF1EAC531FBD9238AB48ED5283518CD2C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:52.197{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51688-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:56.067{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AED0C844BD8F4887D655A6A884BB62F,SHA256=92C2912877AB2BB76D1C312D1D420CDCC0BF2486C4B6E72BCE4816F4542C624E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.938{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A45-6442-1003-00000000DD02}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.938{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.938{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.938{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.938{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.938{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7A45-6442-1003-00000000DD02}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.938{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A45-6442-1003-00000000DD02}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.939{223CB5FF-7A45-6442-1003-00000000DD02}6204C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.605{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E1854CBBDD5AF9563D6A50A57CA8A487,SHA256=735C7F7458D25B27CF8C6CB13EACA207E719B190A84AD4A5211E50776A8C05D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.459{223CB5FF-7A45-6442-0F03-00000000DD02}52683000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.421{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A1C3F8AA2E268B294B12EFE3D0077F7,SHA256=C6983864EF68E989552946F8AEF002A1D31DC42302917709B076A429D22A6D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.359{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7DE902052B7CFE256428B6AA869869D,SHA256=80895DD0C610552A91362B1E0038F3113A75C20DF6A0657CEC41F199084039E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.358{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5FFDBC69FFA32D291483325FCC2BB2,SHA256=050A1E69B318D59AEE338F3DD3C90D6852CE0939490B4E42961A19FB491E8D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:57.198{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A567165DD1D40BEFE0CECDECEED6CF,SHA256=F102469C130DCC761E9D0CB928B36B96E1DB302D2F088E15DA391632D7AD7B03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.256{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A45-6442-0F03-00000000DD02}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.254{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.254{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.253{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.253{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.253{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7A45-6442-0F03-00000000DD02}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.253{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A45-6442-0F03-00000000DD02}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:57.253{223CB5FF-7A45-6442-0F03-00000000DD02}5268C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:58.775{223CB5FF-7A46-6442-1103-00000000DD02}29445248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000022865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:55.385{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50471-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000022864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:58.606{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A46-6442-1103-00000000DD02}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:58.606{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:58.606{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:58.606{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:58.606{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:58.606{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7A46-6442-1103-00000000DD02}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:58.606{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A46-6442-1103-00000000DD02}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:58.607{223CB5FF-7A46-6442-1103-00000000DD02}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:58.406{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D57C730DE558790EE63248A6CE01595,SHA256=592D5902D7044E0E427B6CE084F3CED2C19C1B6BEAC399D52C39A7BD2146D551,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:58.251{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6E3BCBB475F10EB082411ED156A994,SHA256=31C9EA0C68CE6633CF2E84A2A5C7D37C24DCF03EA3EC86B835E94687087779CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:59.559{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3B218BAB09034120544BCB15B662C4,SHA256=F34DB558FCE0B705BDD48AD18408D8BDFFA09114167D498ECE16C5BD018D172A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:56.563{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51689-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000027937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:56.563{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51689-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000027936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:59.497{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDE6BE37613955E072EEA4FEABD137E3,SHA256=A6D92ED05714256F5ECA083A21445F7D5DF1A8EC1FABE51FFDD74CAC9B20BC34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:59.314{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=698DB9BD0868A69D45B301ED31E13FA5,SHA256=C4CBD00606CB026682ECBDDC769BE7F07BA786F1EC9242FFD342C85E109A0A6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:59.458{223CB5FF-7A47-6442-1203-00000000DD02}65685404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:59.290{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A47-6442-1203-00000000DD02}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:59.290{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:59.290{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:59.290{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:59.290{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:59.290{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7A47-6442-1203-00000000DD02}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:59.290{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A47-6442-1203-00000000DD02}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:57:59.291{223CB5FF-7A47-6442-1203-00000000DD02}6568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000022886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:00.962{223CB5FF-7A48-6442-1303-00000000DD02}24165312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:00.792{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A48-6442-1303-00000000DD02}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:00.792{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:00.792{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:00.792{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:00.792{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:00.792{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7A48-6442-1303-00000000DD02}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:00.792{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A48-6442-1303-00000000DD02}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:00.793{223CB5FF-7A48-6442-1303-00000000DD02}2416C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:00.623{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8780F300917E282385207C8728B31AD1,SHA256=5739B412732EC15E6C6E930EECA859142B56B2DFBF7D0315B2CD9606D23F6DB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:00.365{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2BFE43FBDF6FE065D21259AD93A6483,SHA256=09454ED83BFEC789AE3AFF05D9EEED885F5E423E2F23A095B4A12FF3ACDAFC4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:01.740{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CD14EDCFD548D073CDFE136FCE6CAC,SHA256=C8A06A65D2A24FDBB45836C04B79458E31B6D1678BB85BCB29CA658B50D5B00E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:01.439{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E9FFD8A4F9C39E85258133666AAC9B,SHA256=2B04F8AA5871F5647EF47AA7EB50564CD514D9248570693E24CFBEF62E9D75D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:01.459{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A49-6442-1403-00000000DD02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:01.457{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:01.457{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:01.456{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:01.456{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:01.456{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7A49-6442-1403-00000000DD02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:01.456{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A49-6442-1403-00000000DD02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:01.456{223CB5FF-7A49-6442-1403-00000000DD02}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:02.808{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153CAB01BFEA45791E32BCEF8EBBCA9A,SHA256=ECA4459BAB0A2488C231D857CF398E5C68F5261652010CA3E03FECFE673B7B3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:00.487{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50472-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000027942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:57:58.236{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51690-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:02.464{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD1007AABD10CE994ED072877CAE87CD,SHA256=BE46F433876EC3E0FF9B6F9D6317A1AEA440A33763B50556C17FE2F41244A2E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:03.857{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D1B897CC62DE3C7E19AA18F8294562,SHA256=93F6C1D2D4CC417C4460ADF92E759E5FB243E39B79EAB2EB55E754DFA7968A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:03.513{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F90BE5FCB96507109967406DB0EEBCE,SHA256=EA7CF8BA54A3C9D590C592CF3FC13E93EC02F526A86D33089B6B0A685D4B64AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:04.976{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A87E0FB6FFAF0496CFDFBEDCE144188,SHA256=67B676B81D05F25C2D54E6CAB87BABA7B56DADF93602D8EFACD4952AFAB40946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:04.564{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=575F644F9E89A45E67361927D75ECFDE,SHA256=205810EDF2559543073731FE22403E7E3AE04E3ACBD1BC0B200B9DCDBB3E08B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:05.696{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=297AABF930FF244377DF9878AE787807,SHA256=8608F8FC0971478EAECC5C3D96498212862DC9700367B38249885879A5D8212B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:06.740{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C5C2F78C4D4CFFD053716DAAEE223F,SHA256=125A32E6242FCC5EA1F456588D768E583C2867AC6B34845D3F9CCDD04C4926F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:06.122{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35E9E06090B84568C63ADF51FD8D154A,SHA256=A443547117467E35BB01262BE12DEE80988AA58B268E00A9B6EEC4EF20C149C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:07.937{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D5C8FD4449083DB22F0B24D64EA005C1,SHA256=45514A5A924A07BCF20CEF694A5CC29A6D9046D428835B0C242CCE95D28B27CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:07.237{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63DBCE3586F0DD0BF012931786366A40,SHA256=88AB8E85D94EF37803DB8E73D00C2F63B0D74CA2F412AA3A3065BA93247C69FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:03.344{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51691-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:07.779{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91DF33CB44B139AC3DFFAA2D1A4E6F7F,SHA256=7F5746DA1980F9D6A5823AD643AD47EB10341D2B0DFDE67D60D6701C85735C13,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:06.469{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50473-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:08.375{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63FC03C0D840AA90727A3AFD2A22396F,SHA256=6F62F23A02ACB28C1B561D003347BFDF2A1E5DFB9A429B007A8B22479FB48E86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:08.813{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B0D25B05BFCA5D6025E7C89C86489F9,SHA256=1FA9BF9D1322E746FC288A8806B45FB0460F15DBFB545EE069B0EDC6B79AF6E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:09.506{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F5AED52E97FC3268333CF25763F87A8,SHA256=4AFAE641E33CB123B6F9AD4B36271ED3CF353C1EEDBDE91E5AA199CC768F873E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:09.878{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F536A5348A72FD0F512483B0902BBC7D,SHA256=1A7B63204468125BEA8558C168695ABA4C2F012C89D4448EF88318342D781602,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000022914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:58:09.105{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000022913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:58:09.105{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0030a195) 13241300x800000000000000022912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:58:09.105{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d97440-0x2845ddae) 13241300x800000000000000022911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:58:09.105{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d97448-0x8a0a45ae) 13241300x800000000000000022910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:58:09.105{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d97450-0xebceadae) 13241300x800000000000000022909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:58:09.105{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000022908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:58:09.105{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0030a195) 13241300x800000000000000022907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:58:09.105{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d97440-0x2845ddae) 13241300x800000000000000022906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:58:09.105{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d97448-0x8a0a45ae) 13241300x800000000000000022905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 11:58:09.105{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d97450-0xebceadae) 23542300x800000000000000027951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:10.937{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=631BC3A3AB3E38ABEB9E031C68F76100,SHA256=4289A29B572D96B6D4BC358109A03EAC16D7D5E5D7A138E43DC6C932375028D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:10.554{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=174ABD8A58C7BCA4B6AA115EEB5F2990,SHA256=0C04F9CDD53979218A852A5AD0B4A1481C0AC70B44CAB31EF399DF8EF51E2BC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:11.992{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826BAF5EB24BAF82A4869B1721C4DC21,SHA256=ACC541F0187457628FE12C098E191960DE6B85C5FF778069C55A34F1897CECE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:11.589{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7EBA42BA33BED94E19E1299673F5FB,SHA256=2EFB5D9ACD76FF6C090F62909E4102EA6927D0449CA2B0F113EA630BD9C9E279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:12.635{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D802B45C137CE1DC5AC1E15E5E6EBF1C,SHA256=DC0663DFD44199DD472849920F352EF2868C478FCB1CD0E40B36EE757A916E0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:13.673{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCBB957F71ACE35404983666F38A758F,SHA256=CB5B1CA7D206A793965749E4A5DD5FCF61B95738F4BFD7ECBFAC88EAD5EB0889,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:09.103{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51692-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:13.161{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69A857BC5E771D8E293C8A525AC3F5E9,SHA256=722041D5E5130B3B5740EF688B0528AB79B853A39714F8A2D6188FAFE847AED7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:13.061{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7884A121D9409C4ED1C4E9EBE9458F6A,SHA256=AC96F0935A6F1819FEDDE60C4EE59CF8274A3C34D30B8F522F6E49E0E1243DDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:14.803{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8084C956DE6BDA7EE305F7B6F9BAEA8F,SHA256=50B591AAC9DAD86580E2FFF168EFAF4998468095C2C42CE471C40EE89D711923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:14.110{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF1EBB6917E8276452806BDF8DA2B16,SHA256=ED1143DD2717BF739F90FDB611D33506B2F209DBF45CC4BD8F7E2E7DC7AFFC55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:15.951{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098942864545DAC1B96F96D061638BE5,SHA256=2E9E4576F0DB6FEBFC719BBF06560C485E657250EF42CACD247F5D41373BB02B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:12.433{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50474-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:15.210{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85B7D02F7D6FEDA9A42EF4D48660CFF,SHA256=E038D94C22C56629C430E4F4685B4C1C61EB9E65296FF088E1EAE0A445F24D75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:15.136{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A57-6442-6506-00000000DC02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:15.136{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:15.136{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:15.136{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:15.136{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:15.136{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7A57-6442-6506-00000000DC02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:15.136{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A57-6442-6506-00000000DC02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:15.136{AF4EC832-7A57-6442-6506-00000000DC02}5288C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:16.244{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCF16C91470FE2BE4EFEBA262E921669,SHA256=2629430CD31CD496E399DEE9B16767B2CD0C4758E98F2770499D9083B4ED0E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:17.002{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C25CEFB1F1D129D1F54D94E9F307E9,SHA256=F7A64925C9C49C9E19774089FFDE21B1B803796E8013F9B83D9C31251BBC28AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.809{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A59-6442-6706-00000000DC02}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.807{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.807{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.807{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.807{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.807{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7A59-6442-6706-00000000DC02}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.806{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A59-6442-6706-00000000DC02}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.806{AF4EC832-7A59-6442-6706-00000000DC02}5832C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000027976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.334{AF4EC832-7A59-6442-6606-00000000DC02}16684160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000027975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.311{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B3752BF1D86800091686B96C142B56B,SHA256=31996028BDD58103C2F758A12B05700513A732D17B2B1CB4E6FD6406CAF54332,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.134{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A59-6442-6606-00000000DC02}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.134{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.134{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.134{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.134{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.134{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7A59-6442-6606-00000000DC02}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.134{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A59-6442-6606-00000000DC02}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:17.135{AF4EC832-7A59-6442-6606-00000000DC02}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:18.132{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7AE0D853BCA61550574A028E8EF9B96,SHA256=570C50712C2B66E9C8560635C185857BDA33D5628F5ED0AE0BEA30BF271158EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000027997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.642{AF4EC832-7A5A-6442-6806-00000000DC02}57684688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.473{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A5A-6442-6806-00000000DC02}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.473{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.473{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.473{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.473{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000027991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.473{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7A5A-6442-6806-00000000DC02}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.473{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A5A-6442-6806-00000000DC02}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.474{AF4EC832-7A5A-6442-6806-00000000DC02}5768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000027988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.389{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE7F11BF7BBF2371F9C923115CF2466B,SHA256=EF18BCD2A8DDFDEA8DA0D662BB5CC1C8C47288C5319C5FECA26C10A02A23018D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000027987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.258{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=201F218489342478713AD5BD8AA3E5E0,SHA256=5A6FAAE5C317A1FB8CB40542F84BB8ABEA5D6764C946A9E2C8B15A0069339C47,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000027986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:14.153{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51693-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000027985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:18.008{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9B1C4FBE4D15D0707582AFF0889EE148,SHA256=99A509F8248BF7E19C787A501AFEA9B70646DC5D5D2F350CF3ABD5448668EB79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:19.435{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:19.153{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4105634A41C2467C6386E18F14659938,SHA256=5E4FB642EAF8C404A20E8616551340143E7CAC54FDAB733868259140ABE7A48B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.957{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A5B-6442-6A06-00000000DC02}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.957{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.957{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.957{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.957{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.957{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7A5B-6442-6A06-00000000DC02}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.957{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A5B-6442-6A06-00000000DC02}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.958{AF4EC832-7A5B-6442-6A06-00000000DC02}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.558{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3ABE64940148733CE47E9E1089AF1AF,SHA256=FEDA4986AB92454243CFA0894EC7BD0F5981A99295DDE42307BA0AD0F5F93294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.376{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-061MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.273{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A5B-6442-6906-00000000DC02}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.273{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.273{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.273{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.273{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.273{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7A5B-6442-6906-00000000DC02}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000027999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.273{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A5B-6442-6906-00000000DC02}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000027998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.274{AF4EC832-7A5B-6442-6906-00000000DC02}3112C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.817{AF4EC832-7A5C-6442-6B06-00000000DC02}14244148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.633{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A5C-6442-6B06-00000000DC02}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.633{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.633{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.633{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.633{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.633{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7A5C-6442-6B06-00000000DC02}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.633{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A5C-6442-6B06-00000000DC02}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.634{AF4EC832-7A5C-6442-6B06-00000000DC02}1424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.589{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861AB2B86453C7E192595A0AE18810F1,SHA256=8BCB355856C82F50222FBF527862237BFBFD66F8DDF2A9D182367811A3A5B5F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:17.480{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50475-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:20.218{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=174084A0900604F632C3E1764965F62A,SHA256=D6115713A965D35E4C87F8FDD321E4007FFDA69B104AD99BB09F66E10F9A8066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.390{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-062MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:20.142{AF4EC832-7A5B-6442-6A06-00000000DC02}43484860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:21.656{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22B34B2F07B3FCFF7D42E6CA6EC5415,SHA256=29953A61591C950202C9D47AEA00570EBB5E9C3784FADC935428BC7DDAFB698A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:18.698{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50476-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000022929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:21.252{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE6E233E2EF3F7A92481141C6C54E22,SHA256=E61A6AAF42112623541AE20ACA594644C871D3A699A2915F91C77EB321D0F01C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:22.704{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=555E51D2BE5866832BD553141D627398,SHA256=EF1FE6B371BF7B187459F6F972387A388FBD0D90B01CBA4B8A3295BD8DB5A475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:22.317{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61AC19A883560EA5D865582AE1D1C1F2,SHA256=6EA543DED18916BC04A56594D528A6D9B281335F9897AED0682494230DEED204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:23.350{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19508EDF7C944FA5D21DC933450039D8,SHA256=E7AC418DC1654AAC71BA9F728CC9FCD5F91AD34B846BBC097F496BFF2FF04B0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:23.786{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6844D5E4C2D2CB231CEE8199C43519FA,SHA256=2F23F16EA2813EC119E76169D0CF3B9439531F85AAF753C81978F111E7225193,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:19.350{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51694-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:24.838{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECCB30D8630DB69C83F6AD8FC86CCC8,SHA256=E52558C674618CD5A4C878B8E6EDE05A2817F6C4F0472B1704E7CCF6D7D15A4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:24.449{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E058910F822DAB5FC29A96E741442FA,SHA256=CFB4935AD2B029885751117B19BFBD8C34689146707F47B551DFBD17BCF3A3FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:25.548{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=289B3C54F25D3EDB003A07A36572C3B3,SHA256=C7439BEF24E6B471C3E86F1BD5F81D6C9AE94AE0524AE50F03C940B9635DBEC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:25.984{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8D088CE69B2765259A36079A53AB87,SHA256=0F03EDD47CA8333AA8FB2517DE4F2F693CC908407C2F633027402A6DB2F3B3D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:26.682{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC5EB747C32FE916174779638FBE22DC,SHA256=6F39BF2E1655782A0368C31E4FF58C1E4ECBA8BACEB483DF19AC245BDB51D6D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:23.394{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50477-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:27.729{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DD6EB9FD27765D54E3BE860C6C8252,SHA256=8C6CE9681F49E7497DFF27F1473564705E147E3382802B90CEDDFEF8B7E5F293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:27.667{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B9C197E7D8E399208AFED65371E4A617,SHA256=C637B2B765B676929B0B06DCA74498880140456BFF8A77342D057310979F34A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:27.536{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:27.002{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48199A5DA286D8E015DF9F681FB10470,SHA256=F2DDA9137EFFC425DB8D7745989CF5751A541321A60225EAED61AB5DC12E1B6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:28.846{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549192778FF3D9E69B0F79CCE3BEFF48,SHA256=2D7CDC4E0B9AC7C40863301EAD6D47E054A1C8C6AA881F42F9948A0D4C3D6307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:28.515{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-051MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:25.176{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51695-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:28.067{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B467F2E2A3B233BB49E5FE1E85DA7BA3,SHA256=03C028C085355F627194D69A9D20FE46CB01DE7E5071708DD9DC9EEDA899B81A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:29.868{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76BB5ADB9173C24559C1C8F4795F6BB,SHA256=EC770D1FF0F49F927C50139AB9F423287360AED6736B4683BB3135A6398AF17D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:29.529{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-052MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:25.591{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51696-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000028038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:29.100{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0FD8DC1E88F05992BD89B8999E685C2,SHA256=52D98F70E320B42FE8A1A10139A5D5D72DCFE40684FF02028E081D7131EC75E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:30.911{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265CD0961618ED57BA05A03E63A9E294,SHA256=520A677B717F73ACA0E1CDEE51D3F1655ADCE4FDE529E1A67FCA7A10102B0A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:30.298{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=58C5661C28D749548161CB046A34873E,SHA256=55A3C49EB6040A29E7C80B569562FD043F2ED05A888641386396F43A1D4B68CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:30.166{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C85A11FF213B750972C505D4C2CC8E45,SHA256=37695A1A8E9B0CA3B8B1337819F82C6C526B2C603961F3161DE874CF30A21BFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:29.391{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50478-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:31.228{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF57403481BE8015223D5D0F9878C5E1,SHA256=3D5D73353595547D2AD8DC3A24C74358DC87FA3CF50194E120D3365C766FA82D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:32.045{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1D781A0155081939EB1AA4A5EB6B4F,SHA256=69343E4A4CE5339CA28AB909A96906F9A300EACADCA4BB907B09CA602AA6E2F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:32.370{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA04972DB1C53DBF6174AD7D2B7DE84,SHA256=59962AFB17CB0511A59F0954C825D1B25D2C47BEB0139F389C593095BBE97DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:33.145{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CECFE12A4D59793885574DDEA53B473,SHA256=BC07406944A30C3E37DE2416D72B25B04EDABA4408154A28F8FB0879B6A42806,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:30.192{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51697-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:33.388{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F95D3E0FD0C540DB3A38B4EB5A9714,SHA256=E6131ECCC8C2D53C290D25CFA9ED2DA0D918464B30ADBF45CB2182E0EE403A45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:34.297{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937AEAF58F9725AD1FAE1955F2FCAC9F,SHA256=18F64AC38B4F69ECD9A7511B5424DEF85123E272E598B7C5461650CF4F7A5D87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:34.435{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB2E9045B8F896432131CCAB10DED718,SHA256=0D85A1C3AE076434A27C34F944F43081CB0B87F59A0DF79D49408EA4FF16A105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:35.328{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30579530C3124ECE754C3E6B7F7C1051,SHA256=621A323A04B5F8211C716A3DCB6E0E743B1C833F5BE7B6EAA9604D544526C1D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:35.462{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5837D23F24C4F559C3FE373DE1F83B90,SHA256=15AE02BD62237A26B8A4EFA55B7D482C28F44AF023D6820B2AB2C5AD7A3822D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:36.380{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B925B3E96C16CA5A12BCB08B92A079,SHA256=05DBF12726BD621ADACACCDCDCC29AEA2DAB0FABD7B482693CFC90355B12F762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.681{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=7A2CE573865FA13604F464664D10D4F7,SHA256=D86182BE75B71649C6692CF677986DA4897CA9CAFD875B69E0BDE1C2CB1495A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.512{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4244F2A7CDFB9A4744CBEB7A22C536A,SHA256=93C37BFB3C0C7EDFEF100E3332548F7FD1846BB80F82B3E609225D8AB2E2B524,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.164{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000022951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:34.423{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50479-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:37.411{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0584D474E5175601639F3A689646748,SHA256=1AFBA4239DB3821B0EA158F606C74218A8F322BE018EE3FDA0B4A3B850391A4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:37.598{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB800D90B6D1A66071B2D90E40563414,SHA256=5BC5C025BF5712570A189D46A7483593504FD48C7644A601DC3B2E3D90E117F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:38.544{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00DB78EA82DE81A1DEAAB30035E7FB16,SHA256=2E444B250446B10FB88C6694E7406DA4FA6C7DDACB65AA627070AF37424DD08A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:38.656{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4991A4927BA611226B926F788AD4E70,SHA256=BDC2992F58B3FA48A4668FEB710384269459B88A6B59459276F2E66F2252EED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:39.580{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98F5ECCD9771FC589B6E2B94343AB4C,SHA256=6DFCB8DD037C5B2907824B0945687B567874D2768D853E01E96582CF57D8D8D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:39.725{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BAFFACD4296764ADD89CA49F6574A8,SHA256=235924528BCA3DF3685FCD2BAC86ED964993624E283023ECFBE04AD0DB9DF38A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:35.696{AF4EC832-7353-6442-7A05-00000000DC02}4404C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51698-false142.250.191.138ord38s29-in-f10.1e100.net443https 354300x800000000000000028086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:35.679{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local55227- 354300x800000000000000028085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:35.677{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local59318-false10.0.0.2ip-10-0-0-2.us-east-2.compute.internal53domain 354300x800000000000000028084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:35.676{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local50567- 354300x800000000000000028083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:35.676{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local50567-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domain 23542300x800000000000000022954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:40.625{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=156D09E06F654D50F6217A16EE2527DD,SHA256=5F21AB3018F2847BA28A0FB9EDB5F10E26F0902451075270D8DC4D724AA23017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.875{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=F56476896CB0E0F39F8016DE48E62A24,SHA256=593C36BE94EF0E888AB0326C95B85F0E34404765C57A8E513F181D044253DBD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.875{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=995083FA626030200A7A53FC1B1DE82E,SHA256=FCA236F398A72C71A53229D5866209B5E6C36764801A5090D9A14D5E020C50DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.875{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=74EDECE2EE5F9EB9FC2037D7791C86E1,SHA256=0D55DD8302D0F5090AE461D03B72434CE53B0151F73C77F7A777FE0F68AAB077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.875{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=B0272F5CF9F56F11C856155DC5F40BE1,SHA256=74AB81A1929A8806D559A13140947F076CABA52BF882364C416EF4D8E9B155F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.875{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=D8F98D218945F9117FDBB6C273E51F83,SHA256=5C13EA48846967F616E8267F519F3235E9016147D65100A6C1C2E6BCF7AA9D0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.875{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=7478A70F3DA82FC6E7FD1C1A52EE9B63,SHA256=114043A83802F8EFFE60EA4E27ABC1A12CF2DC6DC81857177FB23DD484CD607E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.859{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=418D1C0494366C1F24663260607128B1,SHA256=A4F2D9674AF92BCA8DDD6029CBB1C03AE309EF3DD09E4B4CD887AF5C6533C7AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.859{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=8DE809C096426850F0E591F69AF5979B,SHA256=274494D797A313FB8EFA2F5A82F160E186F1F36310186BC63E69256FEEC41A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=236B41BB6185C0BC2BA9245724E73BBF,SHA256=F4619D8820A61E0A9A187422DE0E97A8D21F63397848E1D61FE3177F8FB48186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\content-email-track-digest256.vlpsetMD5=36713723A0C0C8612D524929DC29C10D,SHA256=0508CC0A1113565117DCA5AE294B1B760BF3760FECCE2DCD301C8B7B0228E30D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\content-email-track-digest256.sbstoreMD5=2C126E7268C6F11692BE11629C2FF7C6,SHA256=1B96CEFEA79E6F74B64B76820FADE940636EB9F5CD4B35E65584C85B004989F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=AF32B9C2D675A714BD311805808AEC14,SHA256=7E3B35252F739A8E1469314A4FE3CF4B9AC906E0BBEA9F4E88F31F15C30B93DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=A5ABC81A6FE923E8DB43F979B10AD3BD,SHA256=B7CEA440E3ED079766AC192B672DF4DC17B36C740F9B17B32BBCB4E54AEF231E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\base-email-track-digest256.vlpsetMD5=180B597663D98AB1B5E09ED8EB61D6F4,SHA256=5A142D44D91F33D4EBD7AE81DA219C8EE0023BA8328DC2F5F1AC3FC2F8808314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\base-email-track-digest256.sbstoreMD5=97239BC16E55CC1B0BED952E65610EE1,SHA256=27F32FC0B6D03158284FB804569EA171CE99E7A08276B68C7E16B4BC254B67FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.843{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=00E12F637CA3DBDCD1700E797EAE9522,SHA256=5F22E3810F487A0ED1E1680C7CF9CC33749E409389B386BA367C00ACFCF5C4B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.835{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=88B44DC75B1D0E8B36B9BAFD82E73053,SHA256=6D7B3C150EA8E3DBD9FB4C521E5AFB2C7D9556BFF0BEAAA2661F3C3420AAA930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.835{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=EA8FC2B1E715FF5F0D99177063DEC900,SHA256=1D20EE535B3A5CC08F514B342B32398677B5CCA3C5E3F1CE5B74370B2361B688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.835{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=801B0CE649BB5EA80E92323DB6ED3A64,SHA256=4B7725D4DC97F1EF4A544E13CD559CE6A945B5DFF1C27A4CD0750E5D42C91FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.816{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=418D1C0494366C1F24663260607128B1,SHA256=A4F2D9674AF92BCA8DDD6029CBB1C03AE309EF3DD09E4B4CD887AF5C6533C7AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.807{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.790{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E230AF3E05340567340486CD1F8DEC54,SHA256=8D2540DF431A61FADAFB1B8ADE9672F523BF076395F92B90E5EF719D346167D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.710{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=A3D88DA7E3BCF05AA432D0F50F3FA577,SHA256=76131D066BE0A3254A20EE81685EB767E3C628520400195A57B5B06A68151276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.693{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.677{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=74EDECE2EE5F9EB9FC2037D7791C86E1,SHA256=0D55DD8302D0F5090AE461D03B72434CE53B0151F73C77F7A777FE0F68AAB077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.662{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.622{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=F56476896CB0E0F39F8016DE48E62A24,SHA256=593C36BE94EF0E888AB0326C95B85F0E34404765C57A8E513F181D044253DBD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:36.153{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51699-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:40.540{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:41.693{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\6chvkpgv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=86DA8CDB0F5F257F0BB7C9F4607A1C30,SHA256=77F68CF46DB5574105532181D1A808EF2BA1C437611B51D9EB4FAB757E891986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:41.663{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C640BFE9A66791E00E1F5AB13A398A,SHA256=8BD5A1BD5F87697A19DEFCFD3A95E6137127EC76AB8AE1D7FF4B1174E523AC6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.537{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=5747CA1E1576D458D3F6DC2484EC7417,SHA256=7DDB690294FD365660A3C1B9CBE9A094B156E9BB7508AD770431A50272C3F7CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=F2B926AE99C7939A916918AB01A33F2F,SHA256=8114D3A16DB469A3519C773AE2489F89778B212FDF73C6D7A15E98170F2DF4CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=527830308D13C74A6D66901E8A602A4B,SHA256=7FDC9CC74A44EAFBC50EAB63C55956EE93CB1066D2C36D71DB3A725AF969E751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=C1A9CF32AB5213A7036B4BD6AF156C66,SHA256=BA022FB6993ACC15C243F547A1542B35C0701CF108637C9ADD529BDC042993F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.020{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=D9447AE410C13A7A2072635FFCCE9A3B,SHA256=F32F8B9BC1F687AE70B46038251DE68480DA1605003803EFBA370236EDF57ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.018{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=A3D88DA7E3BCF05AA432D0F50F3FA577,SHA256=76131D066BE0A3254A20EE81685EB767E3C628520400195A57B5B06A68151276,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.018{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=7674B07A44D9FF82FFC207994EC6BAC3,SHA256=F35BD1EB0ACB4559FE0C5EE2E98DCDF1A5C8E6A70DCAA01A74606F1EBA8CEA7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:42.792{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA7E2485EC18DE160F51C47F19528695,SHA256=5C1769B303D54ED3150CA620269712F2B9144AF88C471D9FDB1CDC9729C715AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:42.062{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A85D092471C6ABA3A9E046F2791C399,SHA256=21A16F8924B07CE188D995289C8C6BABD75ABA11AA1CED719198DFB30721C199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:43.864{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=875666FC0CE6E6AAF8DE4A930E2B45BD,SHA256=3C0BF53932E021EEA4B5386161C997814C60BAA0BCB4C90C02E797743731D1EC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:58:43.442{AF4EC832-6B63-6442-1200-00000000DC02}764C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d97448-0x9ec6962f) 23542300x800000000000000028139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:43.141{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B456D7C54B9D327567D12DF72D3EEF63,SHA256=835E31012E3585135B2E463553977E87C02E3CE89E01CF004E206A471AF714DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:44.928{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38CB8667A69699F897B8776337966093,SHA256=DED7D0ABAA760249EDC9D937B558C923CEA16421A12FEDFD2D1CF4A36E6F9434,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:44.124{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-767E-6442-4F02-00000000DD02}3744C:\Program Files\Google\Chrome\Application\chrome.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0ea0|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:44.108{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-767E-6442-4F02-00000000DD02}3744C:\Program Files\Google\Chrome\Application\chrome.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+bb490|C:\Windows\System32\SHELL32.dll+e0e5c|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:44.108{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-767E-6442-4F02-00000000DD02}3744C:\Program Files\Google\Chrome\Application\chrome.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e0e30|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:44.108{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-767E-6442-4F02-00000000DD02}3744C:\Program Files\Google\Chrome\Application\chrome.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12c9d9|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000022959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:40.341{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50480-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000028142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:41.186{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51700-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:44.183{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E02125FADE052F44A9DC41989A74710C,SHA256=342BBA9C593B00B15948CC7B81CB6354C5EC3EC79DE2D38705DFA4880B42DDE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:45.201{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0675218A218C70B24653143CB5FD9CC0,SHA256=DCBAF20CB2360E9BDC6116E71DD9872F459C56DD10B4E1819B4727525BF1A719,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:46.709{223CB5FF-718D-6442-6A01-00000000DD02}35963148C:\Windows\Explorer.EXE{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+d30b0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801B85081E8)|UNKNOWN(FFFF864080E77DA8)|UNKNOWN(FFFF864080E77F27)|UNKNOWN(FFFF864080E725B1)|UNKNOWN(FFFF864080E73F7A)|UNKNOWN(FFFF864080E72236)|UNKNOWN(FFFFF801B8176D03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d690b|C:\Windows\System32\SHELL32.dll+11d7ba|C:\Windows\System32\SHCORE.dll+33fbd 10341000x800000000000000022967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:46.709{223CB5FF-718D-6442-6A01-00000000DD02}35963148C:\Windows\Explorer.EXE{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+d2b91|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801B85081E8)|UNKNOWN(FFFF864080E77DA8)|UNKNOWN(FFFF864080E77F27)|UNKNOWN(FFFF864080E725B1)|UNKNOWN(FFFF864080E73F7A)|UNKNOWN(FFFF864080E72236)|UNKNOWN(FFFFF801B8176D03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d690b|C:\Windows\System32\SHELL32.dll+11d7ba|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:46.709{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF31347f.TMPMD5=1F4BD192F37F455E666A6F524978A45F,SHA256=3DEDCE8C8A9850C8DCE400D84B20A73ED72ADA56B93AD8EDCC0D71F32CCC9E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:46.042{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65899FD8DA11F0EC5B9C8D6A2D3B97C8,SHA256=E262A221184A4A3487B29494B5CF25967914778EE489B078F161285CA7ABD9F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:46.249{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F62D9FCA326E13323E212AB2034813EF,SHA256=83BC07A5F473570591A13CF688506EA31EC8C4E5D8237290906B619EC12361D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:45.487{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50481-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000022970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:47.308{223CB5FF-6DE2-6442-0D00-00000000DD02}7927048C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1100-00000000DD02}968C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000022969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:47.108{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC1447737051E6FD15E4AF1ED7E4589,SHA256=AC32385A946A028BCA16605B5C7E44878E105FD8DE3FE7251E8DA7576EFD64D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:47.275{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2579FFE5D8B75790E9B41F01D577C139,SHA256=DE3FBFB975A38A27CDADD0AB9B46D9B9180F57C44E323477FBCC117A2E8EFDE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:47.206{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=915EDC31C0C7E11BF71E66FAC5E9FA56,SHA256=4D7B71B4FA63DC4AED881B3013581E8D38162F1E372B07B95F239FB570D25391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:48.142{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB85D57F5C0B3753BC61B2C3B5C6EFC,SHA256=270D30DBD0BC08BB14AD703CF983E2C26FF75FEF444D0FE5E54A968F15768A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:48.293{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C53F9C5251DAEBADF4A5ECB42929791D,SHA256=04B7C770462895FC37A44659E2FE8D73EB3B628F2528E225E824692C2F0E9FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:49.291{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3453C5ACF590124C8F9B6CC6D6357C89,SHA256=D2969A750A3B210B434EB202CB39291B822EB6FFCC8A9136B2ACC5815F4CF3CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:46.198{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51701-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:49.412{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508E08B3A1BEB1616E9CBF0C77B84654,SHA256=46A5DAD429D745E5EF6B45B289276DC157FEFCF436B5543FAEDD5215F9F966A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:50.340{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1CB9E86D4DC2153BD335A6F0B4FB1B5,SHA256=F69B7B9B0C002715BD87946627D3EB784ADE34FA358A15CA2A487A38E3FF5FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:50.433{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79A44B546D36CAC0131B5475E60E3F4,SHA256=EABEB373874FA05ECDF3BD47C59C445420525661BBCA3F42BC0BEBAAD645A0DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:51.390{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69CB23BEAF47EC3DEEF1AA25F36DFF56,SHA256=EB8615298599C3FC190B3EE363F7BA636569B813706DAD94C09637AABCB19016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:51.463{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D750D847A788C720290EAC7D6F72B3,SHA256=6670DC101903E67729A5C1F133FAC69F1B1D03BA853EB1437AFF29B5F50DCC76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:52.462{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3034FF83BE1D6A9DEE06D251E63E2EBD,SHA256=505F61C908ED29C0831752E93D44DDDAD42E739EE6B980012D092DFDCD5AD1EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:52.504{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BFB16A71898FF2763ACED03A53950F6,SHA256=11C79B6850D93C60068F50D84DC75CF6DC6C0131B718743B4AEE8D4FD1B390FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:53.493{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798F66BEB7E5CFA4E35AE2C34CA42981,SHA256=3B48E5904001883EBE87F67CA3E0E0E036E0C038A6152587ABDF1E94A58B033E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:53.540{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0F25A743BB40B610E675B9FCCD32FB,SHA256=516AAB03CF154A1A05471F5787767A4073BF60916BFB68094C74FB6DB65D2219,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000022979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:51.452{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50482-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000022978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:54.511{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5358844E6176AA4015AF915C902BFDFD,SHA256=5EB40FA5D741F71CC0FF6B52914B6DEAA63771E5648D7D2F84A2A855A42F5A35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:54.570{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE498BC1C15F66A314F061CF2151A16,SHA256=1C856B380BBEF273009465CBE999984CE069FAD248F16E10927A35BF5631C0FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:55.568{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D727BF92D0826AC7E4F05E6D35C8F49A,SHA256=65D215F3A9CB596FA76E42EB8EFA57024EE36A1D5721B542BEB5BFF4497C8F1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:52.181{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51702-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:55.596{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8990F663328B67A71CE2A9567C528AA0,SHA256=F333F6F7AF35DDEA4F13BC63F327B3F523B8350388C7A04CF08E961AD8D431F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:56.616{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74C0587530C7488BB05DF601214257F,SHA256=6A92B5977328A9E33EBDD01A902CA8B1AC5A3C758ACB883E277D3D436E38332F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:56.615{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD49754218C1486F3B6A0E31F233E328,SHA256=B906C730CCD6EE30C9807C417D86FC23634ED1ACA97FA7040AE389296E037ABB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:56.352{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A80-6442-1503-00000000DD02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:56.350{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:56.350{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:56.350{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:56.350{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:56.350{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7A80-6442-1503-00000000DD02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:56.349{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A80-6442-1503-00000000DD02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:56.349{223CB5FF-7A80-6442-1503-00000000DD02}4808C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.935{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2285ED865E8D39176F9280C6904A9ED7,SHA256=44FC6011C3DD66D4E206E2C71C92A49D6469D869EEF2AFB05B4859EE106F305B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.874{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A81-6442-1703-00000000DD02}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.874{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.874{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.874{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.874{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.874{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7A81-6442-1703-00000000DD02}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.874{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A81-6442-1703-00000000DD02}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.875{223CB5FF-7A81-6442-1703-00000000DD02}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000022999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.634{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0355952A4BABCA187A771B804F118CD,SHA256=62DCED60994D783E5BF258B307088E01E85421F6B81D0C7AE1EC997B22D7C0D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:57.633{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E43BE2C764836C172F4DB8637BC03C,SHA256=B118971D96A73FCD66DA5A3A72D622B56432AE84751CF22F1B49FB7142757D0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000022998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.452{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A5E4D26F8ED1AC782EEC26B1EA3F617,SHA256=FD179F3437B35802A2CB840DBDD7BF7C2BCFBFFBE33124E88228937087BEC7CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000022997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.272{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A81-6442-1603-00000000DD02}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.272{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.272{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.272{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.272{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000022992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.272{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7A81-6442-1603-00000000DD02}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000022991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.272{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A81-6442-1603-00000000DD02}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000022990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:57.273{223CB5FF-7A81-6442-1603-00000000DD02}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:58.768{223CB5FF-7A82-6442-1803-00000000DD02}66403772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:58.668{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3967DB551F5C7C3C409A97F11A74E395,SHA256=909D638901039D85CAF7ED0F34E8F1D3C1312939ED5A80691B35449F53F997AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:58.652{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48B6DD4DCBBA96EEAF8A86A902A07E5,SHA256=D4B3B32485B35416B709077F651741038C0E04ED7201D18C4FF992F184BAB365,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:58.613{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A82-6442-1803-00000000DD02}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:58.613{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:58.613{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:58.613{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:58.613{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:58.613{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7A82-6442-1803-00000000DD02}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:58.613{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A82-6442-1803-00000000DD02}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:58.614{223CB5FF-7A82-6442-1803-00000000DD02}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:58.074{223CB5FF-7A81-6442-1703-00000000DD02}64526604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:59.818{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8EBC1AC41BA5A507E09971B7413BF19,SHA256=2964A6008D1B204C9ABAEF911B76FD73A8904DB63E0663D5994E4DDE9DBD077D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:59.783{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A98AC5C3FD9E5A272973DFC53AE15B,SHA256=679028FF317B31C1633BF0FEC803DF1BE5C9D091DC5A0300390E75B88C97EBBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:56.465{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50483-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000023028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:59.463{223CB5FF-7A83-6442-1903-00000000DD02}67166712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:59.285{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A83-6442-1903-00000000DD02}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:59.285{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:59.285{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:59.285{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:59.285{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:59.285{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7A83-6442-1903-00000000DD02}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:59.285{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A83-6442-1903-00000000DD02}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:58:59.286{223CB5FF-7A83-6442-1903-00000000DD02}6716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:59.583{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EDA01E8B987A3125E7466E5BC500C44,SHA256=AD0DEDDE2E22DAE33FB337A2360BE150B04A713CE2E34CC2CE2E55A425CF8BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:00.836{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC96B91C2ED3C2A5A0722A5B165ACA1,SHA256=ADFFA7827F0FA5E095057355CA3134641844DA03E3BDC6C2BB8CC0BC729432D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:00.821{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A84-6442-1A03-00000000DD02}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:00.821{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:00.821{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:00.821{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:00.821{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:00.821{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7A84-6442-1A03-00000000DD02}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:00.821{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A84-6442-1A03-00000000DD02}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:00.822{223CB5FF-7A84-6442-1A03-00000000DD02}7088C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:00.810{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07AECD0F489DD9179C4B91DDDFAA141F,SHA256=8B2D7F843E6A83E7FD54771EC07DCF563206E14A30C87FFC431E8F8C9955A19F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:56.592{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51703-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000028162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:56.591{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51703-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000023049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:01.977{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E230101A120AB5F70E99A6BEA012C1,SHA256=3BB233B18AA59732E15A581C9B6B810263E8C6205F92834A2B06948AB78FF5BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:01.828{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E645D3BA9CAC1B4BA0856BA31D62402,SHA256=077D647600A2A53F27DDAC7FBDBBBA91DA33674CB67EF911EEE64E352BA6F07F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:01.322{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7A85-6442-1B03-00000000DD02}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:01.322{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:01.322{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:01.322{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:01.322{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:01.322{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7A85-6442-1B03-00000000DD02}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:01.322{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7A85-6442-1B03-00000000DD02}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:01.323{223CB5FF-7A85-6442-1B03-00000000DD02}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:01.037{223CB5FF-7A84-6442-1A03-00000000DD02}7088344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:02.846{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A380F849E737C4F78F23E1AE60B71E84,SHA256=E7CF0EB629115CE1A3EE161E4F5D2DDD0073D27511824210FC1FAB92CAEAD8D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:58:58.180{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51704-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:03.866{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD296039F0DE370518F51024B5242F77,SHA256=7D4114EE1BF6C961900EDE78CBD37EFBEBAC253CA110884F53E6B0EC141C0C57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:03.096{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD7B1743B58DD4896E40EC6FFA54182,SHA256=F1D76F42057805E153206323BDA3376C47D1FDE4F7559950DB428566DB155CFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:04.920{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B30852F5C4AB98114EDB7A4380DE197D,SHA256=11D5F3CED07AE386C3385C9A1DF8DC772F00E23403C4AB0B6A24D216FE0BA884,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:01.501{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50484-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:04.143{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96EF8202F56E1ED0B1C580B8BA245574,SHA256=4A4F4545676336A9DB6295B333624C02DFB1B5A68972366627970957635CCFB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:05.953{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55210F8BB532EBCC9460E802DAF60354,SHA256=01AFFD8EED97109E202FF0B6CFB866B509670EAF5057ED976017EDCF5ED419EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:05.262{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBB5EAF1F7D238661CF107582D790C19,SHA256=9FD67BD03A54594E0FEBAF632BBDCD7083C1980F52797CC90082E6347EA8D020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:06.281{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94FD9CB27A809D5B65C2CE5AA87F1E0,SHA256=B53CDB18FC5E2B586C1F110875D010CC63213F67D5713D903364B8AA1D409A22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:07.953{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0407D0F5C9D50390F2EF7E2D099FF48E,SHA256=F282F44033ACEB963E2D44B64BC83A8AD9BF10F8D120A1E403A7F15E5BE3FEE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:07.306{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=549534A7BD4ECCD40D66B2A802C3508B,SHA256=31D66FCF95CC17F74FEDEC5461ECFDB8E044A7EB60293D007948327FB923C6B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:04.109{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51705-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:07.073{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F6A196E694725F745A3D3E8FBA9052,SHA256=0070B6EDBA245122FB3B58880D5D3A22E8BF5E8ED8BE6FF2CA5ECC598565CA96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:08.438{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F27D16FBD5849C094DD1CBAB8B08D2,SHA256=FCDDCCCDCF971C6094B0672CFBAEA553BABD188BA7014232C168A58D06542710,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:08.128{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43513C5F83663C822B74C5D97B03415A,SHA256=D305F61D4AD235342826A53F28E218AA2B7C0504DD037806AB471D28133A2B18,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:07.519{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50485-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:09.476{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=292664363A781CDC8E896B3C1C9501A2,SHA256=EF49BE230E89543D66D1BC8255BF2E3CBB420C892DCBC81E836538DE7E2A5DC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:09.146{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=661B1E5C1E367334EDC612283A2863A2,SHA256=912F6017B1873D37C7C58C245508545E904AECA1491171AC6670D45B31E469C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:10.517{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1599A61EB45CB0AB9155B152387EC96B,SHA256=9B3F4D5DFAF70398431D42193D1586F114AF04263630CAB90B90EA32D8B9F409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:10.210{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D075D2270D9A6C3926B5B147510A04CD,SHA256=C1ECB20D79250A1C1DA39D663086D9568D182A354AF9200D2351754BA8045419,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:11.550{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2DBFDC6173FBC3CB14B1419D29B62E9,SHA256=1AD745E4204E4077A32666F0CCBF48A5B0B41E1F1F65FC3EFA4BFC7316981549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:11.236{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2AC67CA5C0BBE32160B9A16DA460E4,SHA256=78A4ECCB2EB158C4E4831B9677F8D75149A22786713E856EF6B0F1D226E2DF6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:12.568{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=339294ED127669F536A047427B960A34,SHA256=99BC79110521636723E8DA07283B59B047B1708A2A98A681118C534E02838BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:12.695{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\permissions.sqlite-journalMD5=66A8461DF57C495087F7FF985E7ABE1C,SHA256=C3ED588F127FE7AC04633826E3B246B9B82954E7AD7D0E9EAD6A422F01DA4AB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:12.254{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B994E8DF6E9C3A4B739FE34853EC8F39,SHA256=E034030E1EB70CC2B697F96A863C6247C6D070E77012F0DA0416872665F96EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:13.686{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C64CD9CC10DF2F02FCE87B541D258E,SHA256=BE685535BA1FE74F956085DF7FCE4F43FE6484F9432F9D01F2889CD4B288A254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:13.272{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C017D6AE2D5E84B443D7CDEDF2C4666E,SHA256=5F5A68EEB17B72E3150FF0C1D016C23B09EAE33633D395BBFFF4721A562ACDE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:09.298{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51706-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:14.706{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A07DBE6A8CDE82B7D2C09B03D7DEB181,SHA256=4AC3747ED3115CD53D709D2A633C45489098221C9D2983E5B898DBFE68A14253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:14.393{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78A2CD19525513D9D3E6B95BA7E0EC9E,SHA256=CA1944028E53EA2E1A5D7C337E91B8EBCF5A21DA898BBB49AC465555004231FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:15.831{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5A8B3F41266BB0548729539A3F9CFF,SHA256=BA95BBBA3E13FDCADBB3325B5CA170CCF712D8EE0A00B438E98E29E19530633C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:15.462{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BCD7B681D990879AF722C689D441CBF,SHA256=2170233F02D9DB4C1297CE348C152D0A640EB69559357BB068A483893D23BF55,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:13.280{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50486-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000028189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:15.145{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A93-6442-6C06-00000000DC02}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:15.145{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:15.145{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:15.145{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:15.145{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:15.145{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7A93-6442-6C06-00000000DC02}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:15.145{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A93-6442-6C06-00000000DC02}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:15.146{AF4EC832-7A93-6442-6C06-00000000DC02}5220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:16.895{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF0CFBCEC646046ED671D39CD082E94,SHA256=5E0F17B3FEEF4E4A18DE8CAE64593BBF821028BF76772CDE75FEE745FC096492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:16.498{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D67181299FA7D37C8DFF8CD35400070,SHA256=701AFA75370458038FF1C7FE2D12E10000F5398D7379B2566810D33D6CFA2767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:16.196{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=550E1459D73659A4091000D0259EBADF,SHA256=7FDB4C79E8862168DDBE68D28020440DE330069EC3B8D83E324E52499FA26352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:17.914{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C729FE8E6E676240AD1613743C9DDAD9,SHA256=615A5843921746079240505084CFB1055E7B1DF58EFDF0225C5055D1131BD377,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.703{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A95-6442-6E06-00000000DC02}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.701{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.701{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.701{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.701{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.701{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7A95-6442-6E06-00000000DC02}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.700{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A95-6442-6E06-00000000DC02}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.700{AF4EC832-7A95-6442-6E06-00000000DC02}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.667{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E718863847575279E229B194B910A490,SHA256=65AAB545C37404B5AAC8261C8DF208B0C7DD4B357DEF6A6ECF433184681EC2F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.551{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47BE6E9CE5B080FE5C83001A66A84A52,SHA256=E4F9A47EEE02B5FF2A7C03139F035A1712CA0E29004543BAB86E92800EF8949C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.327{AF4EC832-7A95-6442-6D06-00000000DC02}57285556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.150{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A95-6442-6D06-00000000DC02}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.150{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.150{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.150{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.150{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.150{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7A95-6442-6D06-00000000DC02}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.150{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A95-6442-6D06-00000000DC02}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:17.151{AF4EC832-7A95-6442-6D06-00000000DC02}5728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:18.939{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DEB9A616ADEFD3356DBAE57A995AFBF,SHA256=421502D5E19F9B6B54D5807F349663B05CF2F947EB54A5297B4EABF7C5987EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:18.585{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313214733C0F311717377C64BCC03DD2,SHA256=C08D504E943813E6DDFF53DE9C5A4E8BF2A73FA8832B245ECF856FA8EDDC32D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:18.503{AF4EC832-7A96-6442-6F06-00000000DC02}42006840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:18.329{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A96-6442-6F06-00000000DC02}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:18.329{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:18.329{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:18.329{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:18.329{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:18.329{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7A96-6442-6F06-00000000DC02}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:18.329{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A96-6442-6F06-00000000DC02}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:18.330{AF4EC832-7A96-6442-6F06-00000000DC02}4200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:19.971{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1290E65371A3142D82C0A3892092D0A4,SHA256=9194012B988AA8212F1F7799A4C1876761165D9ADD56AB4310B657397E698CC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.957{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A97-6442-7106-00000000DC02}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.957{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.957{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.957{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.957{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.957{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7A97-6442-7106-00000000DC02}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.957{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A97-6442-7106-00000000DC02}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.957{AF4EC832-7A97-6442-7106-00000000DC02}4664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.632{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68C3DB0D1860AB5DFDB738654090AE48,SHA256=990E82E0679EC5AB572C609D119F6F34FE189BD2DBFD9F95E1E4BDE6A6E53863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:19.454{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.455{AF4EC832-7A97-6442-7006-00000000DC02}52921384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.287{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A97-6442-7006-00000000DC02}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.287{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.287{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.287{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.287{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.287{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7A97-6442-7006-00000000DC02}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.287{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A97-6442-7006-00000000DC02}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:19.287{AF4EC832-7A97-6442-7006-00000000DC02}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000028222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:15.219{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51707-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.942{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-062MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.743{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC118E2335A7F6B9557900A5C1CD049E,SHA256=946B8FE132D2C53F4D4C6A7F432FBE3B78A523A427ADE4FB953DD086D025F952,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:18.416{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50487-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000028249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.616{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7A98-6442-7206-00000000DC02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.614{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.614{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.614{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.614{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.613{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7A98-6442-7206-00000000DC02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.613{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7A98-6442-7206-00000000DC02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.612{AF4EC832-7A98-6442-7206-00000000DC02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.173{AF4EC832-7A97-6442-7106-00000000DC02}46644596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:21.939{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-063MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:21.777{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305FD66487E3D5B72FA15E9452052766,SHA256=D7A105745FF83E29933BFB5965A026FD482E9C5465E69C3E7BFB31E2B9851A28,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:18.717{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50488-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000023073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:21.022{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AE6548A9357DF63EEBA3CDB6304B0E5,SHA256=B2576E351274E13D6EBE2B8A5B75820FFC461AD84BC888593B6B6CD980A5B82E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:22.045{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D0906B7235D97B1D65CC1A97592DA66,SHA256=5167A1F079136BD269D967B4D327E1D3237AD90C68B2C75C1836C663643F6930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:22.878{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7465CABB1D938EEB60D25FA2DF0352CE,SHA256=2F23B6840D7FADA5502709CC8574B48B1EF723A0123C407EB8E8C9A0B1CACFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:22.593{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\datareporting\session-state.jsonMD5=F7C7690B87A08A37277D23B1B793E325,SHA256=7FD003308122FEEDB7B9B7E5497315FC2DDD243FE97EDF70A50B58EDECE3C5FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:23.193{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A07E6BB724577EB2AABC5EB81F0FFC4,SHA256=65947247BEADB963366A65E4456C138953AB104CB65BF9DBD1FA655697C486F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.681{AF4EC832-7353-6442-7A05-00000000DC02}4404C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51709-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x800000000000000028260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.669{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local52198- 354300x800000000000000028259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.668{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local49505- 354300x800000000000000028258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.666{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local64087- 354300x800000000000000028257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:20.222{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51708-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:23.916{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AB928D40B2061134735B869B5C1344,SHA256=E3DF81EDAE4B794A4E2DE0591F702A8446172755D30597CC2390BD306B3F2E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:24.970{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB3252D59C06551CC8ED9B294620A1F,SHA256=1B8AD7CDB5CE6630C4CD4EB613FE325A7456F498BF9BA9F76EAA5E93B8912F9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:24.329{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57339B29F0040AC070777AC6BF86D425,SHA256=DAE9E20D2BAE9AD742E038D06B56A65FBCFD9E27243BC5041DE7CDBC26FFDD24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:25.988{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59590A619D71D3374B5D7B023084170E,SHA256=8FFB049D3C96C09822263C20D42712CF323C7960A0ED7285B03518B4FC241164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:25.355{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F93DF72C4FFC66FF703A73AD2304380,SHA256=E849A7CA5239C853065B1E9513E5FF0D3A91A3C8EA19DD782994EC8EC6E7BB62,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:24.432{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50489-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:26.393{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4BF9EB8EB8947EA1AEA4F3DD0A0565,SHA256=84679E81CB688A264D51E87EE5C1130F424222562D31417D76774AEA47687306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:27.412{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31194F494E7000B737DD625034004910,SHA256=0A039FDFF215AFB9AF159FD979C977BBC9B1A892078AC2FA38AEDEEEB8772028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:27.576{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:27.023{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C23D149B627643BD124794881BDC93B9,SHA256=EF8961D0D383203D49B91C0A8D86091EBF1B85295D10E97798FFDD411CFDE2E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:27.380{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\6chvkpgv.default-release\datareporting\session-state.jsonMD5=CEE2DCBD31ED0A3326BFB6E3062FEAF1,SHA256=2E9D4487ADF5EA4B54582646586745EDBC12264F38E66B7E5730F33B008C6CBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:26.675{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50490-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x800000000000000023086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:26.662{223CB5FF-6DE2-6442-1600-00000000DD02}1236C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal58955-false10.0.1.14ip-10-0-1-14.us-east-2.compute.internal53domain 354300x800000000000000023085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:26.661{223CB5FF-6DE2-6442-1600-00000000DD02}1236C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9810:1e90:8186:ffff-58955-truea00:10e:4100:4300:2000:4c00:6100:7900-53domain 23542300x800000000000000023084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:28.430{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A04EFCF7F69AC57FD02EC0DDF9BA22,SHA256=BBBEDA09CCFD4774ADF1592EDDB1EF2F4396A2AD292E426923587A8BFEA83FF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:28.054{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8967B2E257352AB959EA6035346BF613,SHA256=1B22EC4E0E0EE8321E281137661C13C02DA74AD915C4221A4331310B359DD080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:28.398{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B58F6450B414464869D957E969628D37,SHA256=F9F3E12579F5F319683DB229C3E980655F36D2BCB78CE940189B4BA8A1D58C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:29.451{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B6040AD53CDA613613E2197836964FB,SHA256=1CDCC32475EA997CA1C265192BC07E4E03B9543AE1F7011B928368EC5D69C316,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:25.783{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal54287- 354300x800000000000000028271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:25.782{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal57742- 354300x800000000000000028270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:25.781{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal58955- 354300x800000000000000028269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:25.635{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51711-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000028268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:25.234{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51710-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:29.095{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C8FC7D21CED313B1022421964D1B79,SHA256=CCC13CBC7949912319D70E5A5B8E88562DA274883CE11600470DD3F751A33DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:30.504{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E3273CCD658007FBD764C4B02EFD327,SHA256=AAB93D660A44AFF085B9F10B75FE5A69F2B8082976D81152EB9C8A292FC29515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:30.313{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6972B14D0710C16939D53A8EAA9F5F49,SHA256=4270085D345286D170EEF1EB67CAFA181F9F92BDBBB5509C3CE05812B696BA9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:30.113{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFF92C452F170DDC49754F10E19676AC,SHA256=19FE94E839B36A2340FEF25C9B8B72D5BB8C173706CDAF160B4D4CB7D15E0374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:30.052{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-052MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:31.622{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BD91BEB0B57E5BA671507EAC3E0273A,SHA256=787B5718269DD2A284AA013968F2FC0A438AE9478E5D5D2A291418EA609DE491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:31.161{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93740D876DA7D5E73B5B5E78DF6C3D6D,SHA256=E7910FB3CADD77E38C5A3114901D3301622D5D34315DEEE14C4C226AB6CCD824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:31.053{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-053MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:32.740{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A504691DE5D86C9C54618A442F807CAA,SHA256=DD593EE37E7F738A836BF0FAE3FCABADE22CF3B17876E2F92DC88F9B3AB3BC27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:32.187{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F161A78748F4CBFEAFE1E2B7430991D9,SHA256=008BA1EB3BF74208FC8BFCF2A3A5551BED15FFC6920BA61B4FD8239A92CAB0A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:33.781{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC5361888D7C0AD7438B19ABF03BE53,SHA256=C20E2248C09D089B0ED0397F13191C37E675CEE42B15AE36916AB50CFCBE4CD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:33.305{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5070C097D9DF6F74816C7BCC9407B4C,SHA256=246E9CD10305B12522A960AE4F1B55187319930A422D230D92D1E81803EE0C9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:30.282{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50491-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:34.814{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A3DF25B3D9A523272B7B8318BBA1339,SHA256=C6D239ACAFB8C6EEE242395BBDB798D49F0111E0F53E7BF2E8A6DD995E54BA2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:34.368{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA341539A305BA721A55640A8D776BAC,SHA256=5FF2F2293EBF31FCF6B326EACAE5A6F902996F15829D6D264F768E0ABBC990A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:30.319{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51712-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:35.832{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA9B72A3A919FEFA71C69ED093E1A49,SHA256=1C3A3141179D443E3EEFB8E1254EC54F66B667E27C7833F5DA57F15D6FB4D054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:35.410{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B43AD020E06A4779CDC66A48D70C3E,SHA256=2022E9EEB629CC6B8C8BF25736FF8D0491959215058A5C2DE650A1382A3D9DA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:36.868{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861A77C0BAD1123BCDD69226EC59431B,SHA256=AFB8404689EDBBB4DB94EF765C730E73B70162C93E762CA4C129980715CE4AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:36.446{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E61BF22FFA30AC5046D81BE594A41B4E,SHA256=6D205CF4EB34D1D102E992E3E9D86325782509D8369C07710ED0812144173C2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:36.347{AF4EC832-6B63-6442-1400-00000000DC02}10641404C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:37.923{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597763210BCE537979270F62A74EB26D,SHA256=F1823D267D56A89EACBF4DEAE1DD7EB59C6E5EE95B15ABB867448B5FB900493D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:37.576{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4345294BD12E05F800A3EAF5EDD1D2D,SHA256=4B87AAA2DA72E790CA8405897F0138B1E3F2D5188B3B906CCF37EB6EF350D841,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:37.506{223CB5FF-718D-6442-6A01-00000000DD02}35964380C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0815|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:37.506{223CB5FF-718D-6442-6A01-00000000DD02}35964380C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e072e|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:37.505{223CB5FF-718D-6442-6A01-00000000DD02}35964380C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e06f7|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:37.492{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0ea0|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:37.492{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+bb490|C:\Windows\System32\SHELL32.dll+e0e5c|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:37.492{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e0e30|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:37.492{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12c9d9|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:38.957{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442C6B875FF16BDF3DCEFD3843CB9B08,SHA256=EC7D8FC2A29BA850B3BA772803ADDB0D55AEB8C3883CD35AE7D23C0DEF905247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:38.602{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C05273469F7288EAC6805D859F807BC,SHA256=085A23BC4F6C7835062B0F5C035930845B9027D39A8F67A94E34BF35157792B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:35.444{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50492-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:39.976{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F164631F6F0A8EE79E56A225A4F216A,SHA256=2017F89F5EC5BC1138FB96565E276AA368AFDCBA4C38FF73D1CFC1C87B687898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:39.719{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9CDEE2C8B7657C55934C966DB3175A,SHA256=CAB7025D4CF7ED1DA283591DBB0E461B4AA0951604384019093F722B48620D20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:40.781{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8865308F370E63F679559646E397E9,SHA256=9E71729499491E25D266B891627CBB55B7A51A381061241B361E7F8C9B307CFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:36.313{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51713-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:41.837{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4E9B7E509371816E0059B31E7E5FEE,SHA256=EB386FD1F57800575789EAA4F9CFD0B73E7FBFA5AAF92D79B1EE2902221162FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:41.000{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59C255A8EF481923099D6E86E111649D,SHA256=48B97B1BE928848EDD88A9A698437CEE12B0FD1E270862CDA36DCE3E51BB9C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:42.907{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69B4E48C7336E3AB77950B8DC66A07A,SHA256=5D2CE374A0542FCEA9A00A4770E7F5C971B9DCBB3CEDC0567F4FABA419FE067D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:42.064{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7934FB768B88D65830244574B2F42C42,SHA256=D03AB8E4447E208C4A5053DD446A6BF52BB1413F0E53505FC9EC3EAE738B3C18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:43.956{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3613A0626D4462E03BC3C4F2FB479A47,SHA256=CBD6250D2C5D5D76F807327095A4B2BC6C580C8061E7D6CDC1FCC463BA80A3B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:43.183{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51DF95D11754D1358F1A029D7D6D6771,SHA256=36BD21DB13181EA1A86DA6E10A79178E4BEA049DEF31FDC480E4B4705404801E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:44.207{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E15F6B8A22F3A9B3B200BD854ED2EE87,SHA256=422929EAC3A2AF73E526C8E5515BD2C19E077ECBE1B82B7A181259BDA5711E88,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:41.359{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50493-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:45.356{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD92092B69B89B8B101F1EC054E0B56,SHA256=A7E607FF01C259354FC4E08A43BF7EA6E21EF1825526A3DD532113FE9706120B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:42.319{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51714-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:45.057{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BDC6CFF8EE4566213AFDB78F1C206B2,SHA256=2CD79BD9DB007C444F91DD6011557BB7BCFB94633D2A54ECDF28226A5CDC6EBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:46.713{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\6chvkpgv.default-release\datareporting\aborted-session-pingMD5=F1FA3D78ABCC8DB31FE7760FD8F41BA4,SHA256=210C1D400D3566641E6281BF056DCC6433D579BEB6FCC406B99E8FC7FC087E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:46.391{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=692839B502BC12194193946D7F632277,SHA256=7AFF33C6A490B5F82F1E882AB1B4AFB66237F08D4F069B32D6F0F1163D298D99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:46.187{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1971024AF2315F23452B2BB34ACA278,SHA256=93F11D697B225151D350B026B6554745ED634502F963ED3783344CE6E5162B70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:47.515{223CB5FF-767E-6442-4F02-00000000DD02}3744WIN-HOST-CTUS-A\AdministratorC:\Program Files\Google\Chrome\Application\chrome.exeC:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Preferences~RF32220b.TMPMD5=169703CC3B6B2009034671FF016B62F5,SHA256=565B478F9B79FAB56C7E23BE4404BB4001A1E30C0B3A073F7B4A437CB9236C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:47.415{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=644B7FA3105670F96695B742B3BAD69E,SHA256=303E023BB7692A7A0A7EF7623FDCAB3581A74F846EEAED08A6DD8920FCD12569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:47.943{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0F14058DBC0199073A967A006EA7FD7D,SHA256=FDEDC667A660555BA8E091B3CED6C2E1025F14701C92DE3951FCAA8D4461602A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:47.227{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E234EE0F6B2B451A013E9762B994F9CB,SHA256=5DBE92E7419409DE666CE09A10001835923D749D95429A3478AE406779E90CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:48.463{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C9BCBCC4D4C56DE0CD4375AFDFAFE5,SHA256=2DE41C868B43E753E02F223C98213AF1741F0200AD281AF5DE87472F22F82C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:48.361{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3557BA2DD6D62C750AF175FF3506E8,SHA256=2ED2EBDE861DAB5ABEC1E90496E3A07B27EDD31F525D0E3697DC517484C15C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:49.481{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDE9A29F2670B039371C01703EA1031,SHA256=DC673369C0BB7E1C33588CAAE29B625049A340A855F43F0510B4DCCBC2258A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:49.413{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B4D4BFC88DAC8BAF6E253708A2FC5D,SHA256=F2E0D591F198008DB652D5328FF5BE2F14E41AC8CE8A831B79398886F0AFBABD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:46.468{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50494-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:50.512{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42E1BADAB5039E4596C1907829CB7A0D,SHA256=1B699A78CFA5EDF30DEDAE8F2AE62E16235D88A30F46D26AE9C2DDE16C3F28B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:50.463{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15FCA429E2B23DD0903A461CC4A6EE4A,SHA256=D1B284DD689BBA7172B765441FA8453CB586D9216D63FD90F08C45865211B653,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 11:59:50.130{AF4EC832-6B63-6442-1200-00000000DC02}764C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d97448-0xc6865cd9) 23542300x800000000000000023125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:51.557{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F318AA605954430BD29FE094770C2B77,SHA256=A0B2B0539FA419242D2744364FA540CA353C3DF0A13C1510BA4CDB5561F87482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:51.600{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5717F2146FF1BE8330E914A93283DF8D,SHA256=99863732DA761BED6B95CD2E88EE8F6F8ABD3DC115FC72150B7930675526734B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:48.153{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal58975- 354300x800000000000000028300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:48.152{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal60814- 354300x800000000000000023124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:49.051{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50495-false142.250.191.138ord38s29-in-f10.1e100.net443https 23542300x800000000000000023157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.981{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=EDFA4783EBE475E24CD9BCDFDA6CFECA,SHA256=1A303432FE6B58498D932E2F7720256146A089952F3C88A464B5FEF954FF1F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.981{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=995083FA626030200A7A53FC1B1DE82E,SHA256=FCA236F398A72C71A53229D5866209B5E6C36764801A5090D9A14D5E020C50DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.981{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=B634871D36EA6DDE1D13CB431C17706F,SHA256=B7C6CD75C84EA6B95CD0F12DE699831241F671368BA886F23C6F86C8D0EC2608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.981{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=B0272F5CF9F56F11C856155DC5F40BE1,SHA256=74AB81A1929A8806D559A13140947F076CABA52BF882364C416EF4D8E9B155F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.981{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=24D421EB8B0AC0D6A5FC2F54C1D8E3C4,SHA256=C0F9F7BC3CA0A9838A21E4A4779F0035FB9362E5D0668D14F5E79E9AEF87CDD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.981{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=7478A70F3DA82FC6E7FD1C1A52EE9B63,SHA256=114043A83802F8EFFE60EA4E27ABC1A12CF2DC6DC81857177FB23DD484CD607E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.965{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=0A5AEF59E1E9FEBABD7684A17D9F5711,SHA256=672DEE7072F009217B8D0219D469C7DED61E3CD95785AD4FC76F29AC1A2A7A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.965{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.965{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.964{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=8DE809C096426850F0E591F69AF5979B,SHA256=274494D797A313FB8EFA2F5A82F160E186F1F36310186BC63E69256FEEC41A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.964{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=236B41BB6185C0BC2BA9245724E73BBF,SHA256=F4619D8820A61E0A9A187422DE0E97A8D21F63397848E1D61FE3177F8FB48186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.963{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\content-email-track-digest256.vlpsetMD5=36713723A0C0C8612D524929DC29C10D,SHA256=0508CC0A1113565117DCA5AE294B1B760BF3760FECCE2DCD301C8B7B0228E30D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.962{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\content-email-track-digest256.sbstoreMD5=2C126E7268C6F11692BE11629C2FF7C6,SHA256=1B96CEFEA79E6F74B64B76820FADE940636EB9F5CD4B35E65584C85B004989F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.961{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=AF32B9C2D675A714BD311805808AEC14,SHA256=7E3B35252F739A8E1469314A4FE3CF4B9AC906E0BBEA9F4E88F31F15C30B93DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.960{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=A5ABC81A6FE923E8DB43F979B10AD3BD,SHA256=B7CEA440E3ED079766AC192B672DF4DC17B36C740F9B17B32BBCB4E54AEF231E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.959{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\base-email-track-digest256.vlpsetMD5=180B597663D98AB1B5E09ED8EB61D6F4,SHA256=5A142D44D91F33D4EBD7AE81DA219C8EE0023BA8328DC2F5F1AC3FC2F8808314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.958{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\base-email-track-digest256.sbstoreMD5=97239BC16E55CC1B0BED952E65610EE1,SHA256=27F32FC0B6D03158284FB804569EA171CE99E7A08276B68C7E16B4BC254B67FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.942{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.942{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.942{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=00E12F637CA3DBDCD1700E797EAE9522,SHA256=5F22E3810F487A0ED1E1680C7CF9CC33749E409389B386BA367C00ACFCF5C4B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.942{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=88B44DC75B1D0E8B36B9BAFD82E73053,SHA256=6D7B3C150EA8E3DBD9FB4C521E5AFB2C7D9556BFF0BEAAA2661F3C3420AAA930,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.942{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=EA8FC2B1E715FF5F0D99177063DEC900,SHA256=1D20EE535B3A5CC08F514B342B32398677B5CCA3C5E3F1CE5B74370B2361B688,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.942{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=801B0CE649BB5EA80E92323DB6ED3A64,SHA256=4B7725D4DC97F1EF4A544E13CD559CE6A945B5DFF1C27A4CD0750E5D42C91FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.926{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=0A5AEF59E1E9FEBABD7684A17D9F5711,SHA256=672DEE7072F009217B8D0219D469C7DED61E3CD95785AD4FC76F29AC1A2A7A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.926{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.826{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=9C73048B97FF4FABE3E09B10D51E6038,SHA256=23B5AAB2E554BBCE1BA0FF7F92FDE77A72C8F50F280BA63C435C63452A12F76F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.826{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.811{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=B634871D36EA6DDE1D13CB431C17706F,SHA256=B7C6CD75C84EA6B95CD0F12DE699831241F671368BA886F23C6F86C8D0EC2608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.795{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.765{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=EDFA4783EBE475E24CD9BCDFDA6CFECA,SHA256=1A303432FE6B58498D932E2F7720256146A089952F3C88A464B5FEF954FF1F0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.657{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.610{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6361B455C9E3DC3D080F090FFB8BF085,SHA256=817C22CA20F8CB042730DF12E7EC494C9C12E0E435CBEDF606F15D619BFCFA7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:52.616{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A458D088A380E6EA9923A3693945FC24,SHA256=908655F671EC6D98EB0A1B612D33739C1B2FFBA6CCAC313DC7D50A6F2CE89D90,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:48.270{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51715-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.728{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9C41D8B077F4B36BA4BA33DAE723EE,SHA256=52C3BE991A1EAE13C728D33B6B733EA88CC369BC6FBD490A423A3D0780796896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.627{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\6chvkpgv.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:53.617{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFECDBEE8126E7EEB861295E51F5B961,SHA256=8E082EC1D8BC743F0FC2E603A4528E3E541F9AE13D081AD2A1DD4B61C24E746D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.111{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.111{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.111{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.111{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.111{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.111{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.111{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=5747CA1E1576D458D3F6DC2484EC7417,SHA256=7DDB690294FD365660A3C1B9CBE9A094B156E9BB7508AD770431A50272C3F7CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.111{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=F2B926AE99C7939A916918AB01A33F2F,SHA256=8114D3A16DB469A3519C773AE2489F89778B212FDF73C6D7A15E98170F2DF4CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.111{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=527830308D13C74A6D66901E8A602A4B,SHA256=7FDC9CC74A44EAFBC50EAB63C55956EE93CB1066D2C36D71DB3A725AF969E751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.096{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=C1A9CF32AB5213A7036B4BD6AF156C66,SHA256=BA022FB6993ACC15C243F547A1542B35C0701CF108637C9ADD529BDC042993F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.096{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.096{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.096{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=D9447AE410C13A7A2072635FFCCE9A3B,SHA256=F32F8B9BC1F687AE70B46038251DE68480DA1605003803EFBA370236EDF57ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.096{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=9C73048B97FF4FABE3E09B10D51E6038,SHA256=23B5AAB2E554BBCE1BA0FF7F92FDE77A72C8F50F280BA63C435C63452A12F76F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:53.096{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=7674B07A44D9FF82FFC207994EC6BAC3,SHA256=F35BD1EB0ACB4559FE0C5EE2E98DCDF1A5C8E6A70DCAA01A74606F1EBA8CEA7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:49.638{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal54843- 23542300x800000000000000023175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:54.729{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97AD535B0193F4EF396D11E472B6AE1E,SHA256=5EA6B5945A5DA312DD691B7C1783A18F16D83D7EB53287505BD67A9D2E4F25D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:54.695{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790E62BA39B2FDDC961660287B29DA88,SHA256=023107975491B190830875B483479CB57CFFC5E0E3B250F3FE7B7339CD9104D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:55.785{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B2CB5DC5383E69263E273245BE9C2B7,SHA256=21D5AC1BD8C64914E9C6E301FEDD443F1DAE3D4226D6FFADA0CAA536D92DB821,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:52.435{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50496-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:55.734{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3D5DCACF7150701958148B743CD2801,SHA256=D6A42A4542222657B2ED67EE62D787FCDC942618F463F741E1AA614EEEFE0DC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:56.869{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5574C4A5F8DCA7A6E9099C5A073245D2,SHA256=9392C00620A8AD142071D9E4920921C4FEADE773976903F695265669470FAE47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:56.804{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB1051D7F8EEEFCC45916F1608079703,SHA256=4E9E619FF3DFA81F8B30E6E958C42CD837619F44F06EBF066B885BB6AB362827,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:56.368{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7ABC-6442-1C03-00000000DD02}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:56.366{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:56.366{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:56.365{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:56.365{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:56.365{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7ABC-6442-1C03-00000000DD02}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:56.365{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7ABC-6442-1C03-00000000DD02}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:56.364{223CB5FF-7ABC-6442-1C03-00000000DD02}6100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000028309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:53.297{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51716-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.990{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09756811E97AC12857A98B52F61CE109,SHA256=5684C51F6E3409CFE5CCF995FC47051AE91041E359C2181D6F25674B2760AA28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.971{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7ABD-6442-1E03-00000000DD02}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.969{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.969{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.968{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.968{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.968{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7ABD-6442-1E03-00000000DD02}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.968{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7ABD-6442-1E03-00000000DD02}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.968{223CB5FF-7ABD-6442-1E03-00000000DD02}1836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:57.836{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E52D77F06C5ACF11C1315C9FDA6D794,SHA256=33F3BD28A7B723103BD87DC6FC1B95EC2C073E0741920196C209E34760106A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.589{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5C216959643C9055DD7CED921D9D50C8,SHA256=68FC69DAE9BDECF4AC6BD951B64B7BDC5AD3EFCC95AFBBD6F3FBA29EDF515A4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.450{223CB5FF-7ABD-6442-1D03-00000000DD02}49841700C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.434{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3A1A7B068979023F0AE2A9C508B862C,SHA256=7BCF743F80F402C8CA77F8D3494620218F728FB317F06FC6C1A9FA0EE0013802,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.288{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7ABD-6442-1D03-00000000DD02}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.288{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.288{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.288{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.288{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.288{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7ABD-6442-1D03-00000000DD02}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.288{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7ABD-6442-1D03-00000000DD02}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:57.289{223CB5FF-7ABD-6442-1D03-00000000DD02}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:58.853{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89C0A4AFB3273A4351CB4101633CD69,SHA256=BDF60A61725C71EC042FE394E08D0C0273E54BE18C7E538EAEF6BE0556D2338D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.807{223CB5FF-7ABE-6442-2003-00000000DD02}62726956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.637{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7ABE-6442-2003-00000000DD02}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.637{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.637{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.637{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.637{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.637{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7ABE-6442-2003-00000000DD02}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.637{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7ABE-6442-2003-00000000DD02}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.638{223CB5FF-7ABE-6442-2003-00000000DD02}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.591{223CB5FF-6DE2-6442-1600-00000000DD02}12362984C:\Windows\System32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.591{223CB5FF-7293-6442-B301-00000000DD02}56484696C:\Windows\system32\conhost.exe{223CB5FF-7ABE-6442-1F03-00000000DD02}2408C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.575{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.575{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.575{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.575{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.575{223CB5FF-7189-6442-5701-00000000DD02}28642888C:\Windows\system32\csrss.exe{223CB5FF-7ABE-6442-1F03-00000000DD02}2408C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.575{223CB5FF-7293-6442-B201-00000000DD02}24764612C:\Windows\system32\cmd.exe{223CB5FF-7ABE-6442-1F03-00000000DD02}2408C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.587{223CB5FF-7ABE-6442-1F03-00000000DD02}2408C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exesc create wuauserv binPath= "C:\windows\System32\calc.exe"C:\Program Files\ansible\sysmon\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF,IMPHASH=A68324ADB4F5664AF8A79E04062F4A92{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000028314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:59.899{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C4CB4BA2F6A14FB3DF0185BC8C17B17,SHA256=8826961BE09751EBAA54AC4EE69872E75F223972F7904E10AEF36846E0F8596D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:59.378{223CB5FF-7ABF-6442-2103-00000000DD02}5068368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:59.224{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7ABF-6442-2103-00000000DD02}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:59.224{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:59.224{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:59.224{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:59.224{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7ABF-6442-2103-00000000DD02}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:59.224{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:59.224{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7ABF-6442-2103-00000000DD02}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:59.226{223CB5FF-7ABF-6442-2103-00000000DD02}5068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:59.224{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBFA3BF6C1F0C2EC4969FDCA6024247E,SHA256=582B830F739877DDC1F12D9FAB5DCD0DBDBB6E2107A73592327FE5482C154B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:59.599{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30F71BA056D73EDB1BC1C6BF520BC399,SHA256=1984D231B129DED827A1ED5759F2D68F519D8E9EB5589C72F81DFD2A70FD23BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:00.954{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5848455904436F9AB4C8F8C511B03DD3,SHA256=45FEF300C1E88B0CA1DABEA2B37C506B740ED47EAF2DC9B6492CC453AC81824F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:00.827{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7AC0-6442-2203-00000000DD02}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:00.827{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:00.827{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:00.827{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:00.827{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:00.827{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7AC0-6442-2203-00000000DD02}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:00.827{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7AC0-6442-2203-00000000DD02}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:00.827{223CB5FF-7AC0-6442-2203-00000000DD02}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000023236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 11:59:58.400{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50497-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:00.257{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D8B70C3B3CF3EC39ED28382A487890,SHA256=984DAB8CBC648AC48883B37A20E1EEE1A976EF9E6ADA0979D361AACE7299F966,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:56.600{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51717-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000028315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:56.600{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51717-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000023263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.558{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E68110761E257F064D743239DF3EB89D,SHA256=1C3506861B4E01E408A9CAA7EB1513100CEDFB69EA8932015502697EC5E9BB5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.443{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7AC1-6442-2403-00000000DD02}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.443{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.443{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.443{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.443{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.443{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7AC1-6442-2403-00000000DD02}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.443{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7AC1-6442-2403-00000000DD02}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.444{223CB5FF-7AC1-6442-2403-00000000DD02}6264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.382{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E35ABB1A88DC87596185E5E3970EDBA,SHA256=03BFD155A104A83CD811B7990C29EEB4AD61AFD1EFB7CCF8D3A0561CFDC5BD2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.097{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.097{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.097{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7AC1-6442-2303-00000000DD02}5552C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.097{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.097{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.097{223CB5FF-6DE2-6442-1100-00000000DD02}9682340C:\Windows\system32\svchost.exe{223CB5FF-7AC1-6442-2303-00000000DD02}5552C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.097{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1100-00000000DD02}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.097{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1100-00000000DD02}968C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:01.027{223CB5FF-7AC0-6442-2203-00000000DD02}10566688C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:02.483{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D8888F83EBB920321B1A67C5F9A601B,SHA256=C2CB16B8502031B3405BDF08A03CAAE8F2BAF05874401890FF7EB8AF2C3647E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:02.873{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1D7B2CB2F21DF37116D635258CB9CA43,SHA256=76F61A654DBDC7D282D17691420A5D7F6788CC2AD35AF0C6DC6F617907C87C63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 11:59:59.233{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51718-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:02.000{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F064246C8BD0F2FB8518946B73D56ACE,SHA256=3FD5B41804C4759DF454F4EB56B8E545778A91C344DC624DADC1D28FC2D68249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:03.553{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357B7B641D8C7D272061AC65A993F6FC,SHA256=892B5208C949CE48EF35F4D1E75DB07ECB1718112ED0E1A7FA3DD53999A25183,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:03.580{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:03.580{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:03.580{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:03.579{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:03.579{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7AC3-6442-7306-00000000DC02}5164C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:03.579{AF4EC832-6B63-6442-1600-00000000DC02}13361436C:\Windows\system32\svchost.exe{AF4EC832-7AC3-6442-7306-00000000DC02}5164C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:03.573{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:03.573{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:03.009{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50C5C59C16F170214D76748A50FB9C5D,SHA256=3F95CE6485613001B374F2FF1837CAD7F71794AC1BBE4DC8B875C101B539B798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:04.664{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46C955A630AF13303C6F8CB513F2C94,SHA256=3627C61BBF6AEDDEB38DED432CC054C2E5D7EF51EAB83A788D4306375C8D0242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:04.658{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=965993CBCDAE3C59D09FC2D9805F4D2A,SHA256=00B407AAEB86AAEDAA28E34A64DBE737BA2895BAD64C6365883514B7E3762FD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:04.126{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB5DBB94E2F8D823B67B75A6C565107,SHA256=93331CC095A189697037B83D1FBC08F3B3CFC8744D57DD7B297F07C7041900E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:05.783{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F9DE29C776CCD5F79612FE240BF438E,SHA256=556742EA6469E260AB466CCD6605847986ED0AE25D38B83B4AB9569E17BB6D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:05.159{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2304E8737906CA93379774DC8C2349F3,SHA256=2EFC277653292C2D70DA1C4560E7D0CFA7E67DC08FD06D46E35D78580ABFD51A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:04.381{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50498-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000023269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:04.196{223CB5FF-6DDE-6442-0100-00000000DD02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse65.49.20.67scan-18.shadowserver.org33342-false10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal5986- 23542300x800000000000000023268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:06.806{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A617E00551EB843018549996DDE45A3B,SHA256=5F37364CF0AEA890DAF0BA0F69D6798E273068168AC9FDBBD3938AE1C66FCE3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:06.177{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15326944A319B63B4A76DAF226768CBC,SHA256=7C11C699DB71ECBDDA8BD7A9096A93C4F3D5AC52EFE617074C11B7EA384E4EAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:07.967{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2075DF5B6FA361D12B6002163CC535BB,SHA256=BAE193A5B0C60547D1AD462AD13B6A6B6E4CAAFD916E209D8279C18AE09D3073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:07.852{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7412C74EB2505E533C356BA0AE56C37F,SHA256=126DA8202EB204D4D14E9D8FCE1D07B9D7D7F7C6B48DF0F9CFAF2776706ECB06,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:04.283{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51719-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:07.278{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198E0176816C49397E82E6000FC3C1B7,SHA256=52344E2DBAF26A82CA864DF5EEB95A9028E91BFE936D9EED8EA08A335310335C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:08.938{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDB65C01AA3D18D8678C61D2BFCD4851,SHA256=D810D287F0AC795E0A399002CF94DB7487858CD299BD65A588CA4901055C4511,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:05.062{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal62440- 23542300x800000000000000028336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:08.330{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0962E1A9E196565495C9B98EF1DD1CCF,SHA256=1381C5CDEAE5F055C4AD4E355B45CEE41028DD4633CFF1ADF7DBDF85D29F7781,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:09.987{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1ACAE97C73D2A6396E6F4B3789F444B,SHA256=A3267D6BD9C145A870601F9527C7B2950402E228E0CAF951FC62C5A8382A116C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:09.462{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8450526CA8985F88DD315070BF9024,SHA256=ACC4E10CDBA42D8C5BE94619B7A07AAFDDA541D4748505CB544CF3D2FCAE4979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:10.516{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAF83A8154EDA9A8052278492121C5E8,SHA256=CA205CBB8E5DC1F287A04513958D1D08B00216B74455CA74977EC055CA653209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:11.089{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03DE46759A9F6E7E556C04A82FDC6785,SHA256=ACEEEDC8B677DC5B7185D3DA1D58331AB8EA8F2784ADEC50E52B84D60445E114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:11.548{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7A7F7F7951E63A436A3E7467941232,SHA256=EB70F186903D6CACEC46FC2E167D6832C27D976BA153EDCE708A26EDDDC9D22A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:09.967{223CB5FF-6DE5-6442-3600-00000000DD02}3016C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50499-false169.254.169.254instance-data.us-east-2.compute.internal80http 23542300x800000000000000023276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:12.241{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54D82D3062085816527ABFA6662ACEA6,SHA256=EEDD64D3AB38808FC3653EC25C6C3D700FA3A4712093B23B693C1D0119ECD018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:12.652{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10C021CCF09E595EC3C4F90143EFDC70,SHA256=54D546F8786A86BBA79940E69FE99816103DB850ADED0B9AC225E0517E5FABAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:12.485{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:12.485{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000028347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:10.564{AF4EC832-6B63-6442-0D00-00000000DC02}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51721-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local135epmap 354300x800000000000000028346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:10.564{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51721-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local135epmap 354300x800000000000000028345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:10.264{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51720-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:13.722{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB3A03941D0DF5EAB9DE42DD623B222,SHA256=3040768B2AABE2C6CB402F35C90E2F075A7228C5FE178E7A9E532AAB787CD2EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:10.387{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50500-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:13.257{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6FB68800CB3B246AD35EFB721502F92,SHA256=007DD1E2AC381464576730599CA9FF8A5F4EA8C6529C80E285DF30CF0F02079A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:14.769{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E93AFA76C2456D2C3BCACA1B6482970F,SHA256=A61EB7987D19683056D0D9CB8205E7B6D01535EEAB424EEA5BDD4341313161D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:14.343{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDC6B2602CDC455AF712ED09881975AE,SHA256=0BC7A9C1C515845347BD74C7E7A11FA8750EA542408F20A994122FA0F84AECCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:15.816{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF941B9C87D2F58F32D82BB8630F044,SHA256=5B70E9F4932DDECC5438D2DA2E2501EC0843C49EA83497EE592309228DC038C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:13.070{223CB5FF-6DDE-6442-0100-00000000DD02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse65.49.20.67scan-18.shadowserver.org61830-false10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal5986- 13241300x800000000000000023294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:00:15.443{223CB5FF-6DE1-6442-0A00-00000000DD02}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WaaSMedicSvc\ObjectNameLocalSystem 13241300x800000000000000023293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1031,T1050SetValue2023-04-21 12:00:15.443{223CB5FF-6DE1-6442-0A00-00000000DD02}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WaaSMedicSvc\ImagePathC:\windows\System32\calc.exe 13241300x800000000000000023292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:00:15.443{223CB5FF-6DE1-6442-0A00-00000000DD02}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WaaSMedicSvc\ErrorControlDWORD (0x00000001) 13241300x800000000000000023291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1031,T1050SetValue2023-04-21 12:00:15.443{223CB5FF-6DE1-6442-0A00-00000000DD02}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WaaSMedicSvc\StartDWORD (0x00000003) 13241300x800000000000000023290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:00:15.443{223CB5FF-6DE1-6442-0A00-00000000DD02}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WaaSMedicSvc\TypeDWORD (0x00000010) 10341000x800000000000000023289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:15.428{223CB5FF-7293-6442-B301-00000000DD02}56484696C:\Windows\system32\conhost.exe{223CB5FF-7ACF-6442-2503-00000000DD02}2308C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:15.428{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:15.428{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:15.428{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:15.428{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:15.428{223CB5FF-7189-6442-5701-00000000DD02}28645488C:\Windows\system32\csrss.exe{223CB5FF-7ACF-6442-2503-00000000DD02}2308C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:15.428{223CB5FF-7293-6442-B201-00000000DD02}24764612C:\Windows\system32\cmd.exe{223CB5FF-7ACF-6442-2503-00000000DD02}2308C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:15.437{223CB5FF-7ACF-6442-2503-00000000DD02}2308C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exesc create WaaSMedicSvc binPath= "C:\windows\System32\calc.exe"C:\Program Files\ansible\sysmon\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF,IMPHASH=A68324ADB4F5664AF8A79E04062F4A92{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000023281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:15.359{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A2273090C82DE8F8B5CD4D64F68C72,SHA256=0DD0421E19C1EB03649CE8429D0855EE505DB9E10FA555F86F5EF985EEBC36E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:15.023{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7ACF-6442-7406-00000000DC02}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:15.015{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:15.015{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:15.015{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:15.015{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:15.015{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7ACF-6442-7406-00000000DC02}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:15.015{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7ACF-6442-7406-00000000DC02}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:15.016{AF4EC832-7ACF-6442-7406-00000000DC02}1012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:16.871{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D1F08B8C29DF335778E8662FB8C5FA,SHA256=FB829D1E386127B39007C5F83AFD7EAB8D3E3D6977D943DF34F3D6DD50F931B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:16.560{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A2F560A00346269095B6365EED139771,SHA256=5EC794E4B617B5F2E62B73B8B76C2D94ED1E9391BDA3BF0E38C10CA622892A43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:16.545{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B806E689B9E07390B629D0C11E7FEB7,SHA256=2B196B472C7DF9111DE9F028E3C9D6BCA2A3CFA8F4BB154736299DAC56584909,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:16.376{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF9A39A3B8A567DFF4327CE9161AAA40,SHA256=CCDE3E2962C10D3C06A9CE51E6CFBAB3AAB9D9376AF23F5F861EA57B04AE6745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:16.116{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4D8A3AA8230429C1B9D79BD03E78F94,SHA256=370FD2F97B84D04CBC3CC2B029F8D0D95B73A91D77FFD1FBE7954DA631153667,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.898{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=952839625F5EA815FFB85F8E2A9B4EF7,SHA256=9AB6E40162C6CACE0F682D9C63A44FAF93259475B0365A2D67C931A77A690179,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:15.521{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50501-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:17.395{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19CAF1A057E0E5ADEAC4B2CC96ECA493,SHA256=48FECD4E56A0F6B08EAB81DF86872D0ADDCBB7281EA5CE1C995DB9C18245DACC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.841{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7AD1-6442-7606-00000000DC02}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.841{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.841{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.841{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.841{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.841{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7AD1-6442-7606-00000000DC02}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.841{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7AD1-6442-7606-00000000DC02}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.842{AF4EC832-7AD1-6442-7606-00000000DC02}5920C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.371{AF4EC832-7AD1-6442-7506-00000000DC02}69804776C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.240{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=36B1ED63FC4CE7705614C120AE89358C,SHA256=6A9458EF658C60225B983B75C38DDC62C640FFDC3DAA2E5D102104451634B7EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.156{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7AD1-6442-7506-00000000DC02}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.156{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.156{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.156{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.156{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.156{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7AD1-6442-7506-00000000DC02}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.156{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7AD1-6442-7506-00000000DC02}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:17.156{AF4EC832-7AD1-6442-7506-00000000DC02}6980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:18.478{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05FFADD2E649DD4AFCD7E46B1422993,SHA256=FFC2CAD7EFBE1BE528BD5A612FB871832EEF9614DB37C663BEA8CFBD08591FBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:18.575{AF4EC832-7AD2-6442-7706-00000000DC02}56605140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:18.341{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7AD2-6442-7706-00000000DC02}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:18.341{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:18.341{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:18.341{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:18.341{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:18.341{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7AD2-6442-7706-00000000DC02}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:18.341{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7AD2-6442-7706-00000000DC02}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:18.343{AF4EC832-7AD2-6442-7706-00000000DC02}5660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000023304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:17.572{223CB5FF-6DDE-6442-0100-00000000DD02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse65.49.20.67scan-18.shadowserver.org61838-false10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal5986- 23542300x800000000000000023303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:19.597{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D602991E19549E6096CD428759D7F2F9,SHA256=231F4D2315E8B9795E2792573C9F55B50F068D7B5C3B2744C632E27AF3A5AA4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.959{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7AD3-6442-7906-00000000DC02}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.959{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.959{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.959{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.959{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.959{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7AD3-6442-7906-00000000DC02}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.959{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7AD3-6442-7906-00000000DC02}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.959{AF4EC832-7AD3-6442-7906-00000000DC02}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000028397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:16.196{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51722-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000028396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.294{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7AD3-6442-7806-00000000DC02}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.292{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.292{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.291{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.291{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.291{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7AD3-6442-7806-00000000DC02}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.291{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7AD3-6442-7806-00000000DC02}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.290{AF4EC832-7AD3-6442-7806-00000000DC02}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:19.019{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD93B3E44DAC2755F2CBEE75742015F,SHA256=2BFA4D4B9BF2DCD21DD18181BBD203E52D0E17D72AC5B91585EE9BF1818855DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:19.479{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:18.739{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50502-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000023305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:20.719{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1AFE2DC21E30C8E0B9555192126EACE,SHA256=F10FDE5BBBF070DEFD4579CCC7686813F4579DD7205B56093A4DA604A3B22E64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:20.820{AF4EC832-7AD4-6442-7A06-00000000DC02}23685432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:20.600{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7AD4-6442-7A06-00000000DC02}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:20.595{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:20.594{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:20.594{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:20.594{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:20.594{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7AD4-6442-7A06-00000000DC02}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:20.593{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7AD4-6442-7A06-00000000DC02}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:20.592{AF4EC832-7AD4-6442-7A06-00000000DC02}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:20.127{AF4EC832-7AD3-6442-7906-00000000DC02}19485440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:20.127{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF4C4744AE5930B08402F7011EDB79E,SHA256=77F642B02B098D2663582B51B19BDB9F00A6DC2F9F43D880275D637B441E6560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:21.734{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91856B9229301668E168077DFFB50175,SHA256=1946E7314FA1B1DB02C36EB2565B64C3B4541EB53CB62931D9441936E9AA1DD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:21.159{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D8EFD8EA69595DA15E93ACF6695686,SHA256=CCAD43BC8A9A3CB86A216E143EA9C5262E5AE2E3ED2B107E2CD7FCDDE4B43B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:22.850{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D52500F5FEE5683D8F8E71DC1CDC98,SHA256=EE067DA7FE00B37159470162533C285449EC032E021D68FBF8026BE503F6ADF9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:22.530{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\3CE3DF5F-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_3CE3DF5F-0000-0000-0000-100000000000.XML 13241300x800000000000000028423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:22.530{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D34FDAEF-E258-4A57-A230-22BB3A38D685\Config SourceDWORD (0x00000001) 13241300x800000000000000028422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:22.530{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D34FDAEF-E258-4A57-A230-22BB3A38D685\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_D34FDAEF-E258-4A57-A230-22BB3A38D685.XML 10341000x800000000000000028421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:22.522{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:22.522{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:22.479{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-063MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:22.261{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F70167EF8C0E6E94B47B6433BA346C9D,SHA256=1804F7C9AE0D77F6339006FCCAED3F6B7C332D90C222603DFA736ADF28E94A89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:23.982{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E630A8E4B03BC236A8E268CE2ABEA912,SHA256=B2BC941E65102F1D5A7C3A0B888E0A36AD67D133E536F564F87D069300ED3760,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:23.982{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8E7B4ECA3364F6F9827B520D491FEDD7,SHA256=CF5021085F2A18EE807F1B165FAC1490793A75ADB0E5C8E73CF0B4EEBFE6CC55,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:21.396{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50503-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:23.478{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-064MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:23.361{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:23.361{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:23.361{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:23.277{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F055BB45A63CCF3183670EBCB9A71F,SHA256=C3CEDF3978511DE07970A02D4FCDC088CC4BFF624DFF1A31B8F94C898282F076,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:22.249{223CB5FF-6DDE-6442-0100-00000000DD02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse65.49.20.67scan-18.shadowserver.org10864-false10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal5986- 354300x800000000000000028436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:21.439{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51723-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000028435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:21.439{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51723-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000028434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:24.446{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C06486EC719C6A2ADA105792ADB7120B,SHA256=C0B91DEBD4ACB4E2FCB6F3DE58D0527CA86397DFA8D35DC72555F8926EA60E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:24.398{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD196D1396F77F4799EFFD9B41AA6487,SHA256=FA0F7E40BB1D8883BE2FF5E84BEFBB99F445E2D08EB2C5B5811909100DD9DBC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:24.200{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:24.197{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:24.197{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000028440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:22.270{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51725-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000028439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:22.270{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51725-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000028438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:22.224{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51724-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:25.463{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6EA3A3736B8928639072141AE5D24F,SHA256=77C637A30FC03AAF6A5B0838AF754B774448C92FF15DC584D002DA37B987B3D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:25.001{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B58F1B5FC447251FFA1473331B2DB3,SHA256=F8005F55F80DC8FE14B918CCB310CF8BA46E8243F5A5471D0AD720B8702B9A3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:26.625{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9393E47790D5F55C3A6D2C7409B306,SHA256=16347E0752423C7606698B4496415DDD0CAA377F14E3E7099E57E231DA7A2DC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:26.024{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7665AD7DD82B54E1E8552868FFD7D44,SHA256=665CDC8E78E6571003D40D67BA6D1400E35E272463C44650BD871AC12D1B8F14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:27.749{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC202A2E653F0EA971B385453DACA800,SHA256=3D6953584CF6B28C5737AF2D6837191849CFB15E73ADDB7F956F8F2E45C21A1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:27.626{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:27.826{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=999CB945DB9A536ACEF69DE46321DE37,SHA256=54C5FBB7364ECD41C0B1971F464AF04EB918C522A2F7246878141B6E3DD03E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:27.154{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BEB5618EFDD4267ABB10EEE78FC05AA,SHA256=2B31D60280E8A7333CCFADD9EF3B11BF35ED9DE8716E501EEC7DA6BB394F8782,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:25.673{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51726-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000028444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:28.665{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961A81B83D8DB89046C72E3583293464,SHA256=B95A0C3F3195A7FE1556A0A27E1EB00F4537008FFB14E0926F4477616E9C6ABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:28.171{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB116B5C9C63A7623C1FBB0C85AFC7B1,SHA256=F89B520B0B211784C8927549A638324785E7958E77AD4C209806465855A942B0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:29.828{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000028455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:29.828{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003c8a98) 13241300x800000000000000028454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:29.828{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d97440-0x7bad6243) 13241300x800000000000000028453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:29.828{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d97448-0xdd71ca43) 13241300x800000000000000028452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:29.828{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d97451-0x3f363243) 13241300x800000000000000028451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:29.828{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000028450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:29.828{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x003c8a98) 13241300x800000000000000028449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:29.828{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d97440-0x7bad6243) 13241300x800000000000000028448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:29.828{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d97448-0xdd71ca43) 13241300x800000000000000028447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:00:29.828{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d97451-0x3f363243) 23542300x800000000000000028446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:29.767{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA4CDBAB2AF5D8A0B73B01B130E6EE37,SHA256=A51350B4F4806EB7A931E3CD71A2B7C226484E433B285A866108D335642C7E06,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:27.416{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50504-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:29.227{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C51A4EAD5ECF81CA1ABB33DCC81C33,SHA256=1220145CFAD0B63BB3CC1AB5D2DA1B40100E824301F4469E8C4A7284F132B6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.804{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7559CF32F6DAC1A31BA523CDA362140D,SHA256=6DAB13789E6925AC45764BF28809537826152CB0365351B57BDEE1F5A11AE945,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:30.289{223CB5FF-7293-6442-B301-00000000DD02}56484696C:\Windows\system32\conhost.exe{223CB5FF-7ADE-6442-2603-00000000DD02}5292C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:30.289{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:30.289{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:30.289{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:30.289{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:30.273{223CB5FF-7189-6442-5701-00000000DD02}28642496C:\Windows\system32\csrss.exe{223CB5FF-7ADE-6442-2603-00000000DD02}5292C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:30.273{223CB5FF-7293-6442-B201-00000000DD02}24764612C:\Windows\system32\cmd.exe{223CB5FF-7ADE-6442-2603-00000000DD02}5292C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:30.288{223CB5FF-7ADE-6442-2603-00000000DD02}5292C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exesc create UsoSvc binPath= "C:\windows\System32\calc.exe"C:\Program Files\ansible\sysmon\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF,IMPHASH=A68324ADB4F5664AF8A79E04062F4A92{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 23542300x800000000000000023320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:30.258{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D17587195AF5E2338C5090BD5254C75B,SHA256=6094F28D28EB921C5FDF22F9B7268A04CF12399075BAB1C09B7F23DE62143C17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.328{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EA21F06BDAB3F980B0CBEBFC0572B44A,SHA256=AE4D1239542E9261CA233F535DFCD77DB12676E6E14A4954E87975328C8E1D30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:31.984{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:31.984{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:31.869{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B1B0E785662D8DE7A749D5FF4C6D647,SHA256=AB9A48C5FF69F1D14DAEEB761278321F628B8C7DDCAACE678E4176EB23E89CF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:27.243{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51727-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:31.561{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-053MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:31.358{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D58D7D9E207C05760279E04940D3F339,SHA256=BB8690BD3123B1A958FE19794A96C8FD1A9ECEBCB221772BBAE9AF1C54FF8776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:31.290{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E73250F8EAADCA511F9CEDC67E6D04,SHA256=AC93763156F67810CF0E1067DF33F9A5B8F1A95405608198BCB0D0524848D286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:32.906{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502D0DAE4B0E419FD50D4286EA15BAEB,SHA256=32DEFC0D9FAD6D33B5B49092FE0E5D70B0E34738A63B0B41211A66C2C70CFC48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:32.560{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-054MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:32.390{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246ABE13AF2A33DA2CF0F7C211917563,SHA256=AB99EE8AF4CD94C43E48EBF73C53CE096DA8DBC7B7BC0A41974F7032968ED4EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:32.085{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B5D-6442-0100-00000000DC02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97952|C:\Windows\system32\kerberos.DLL+79c68|C:\Windows\system32\kerberos.DLL+1458f|C:\Windows\system32\lsasrv.dll+2fb61|C:\Windows\system32\lsasrv.dll+2da46|C:\Windows\system32\lsasrv.dll+332d9|C:\Windows\system32\lsasrv.dll+30c27|C:\Windows\system32\lsasrv.dll+2fb61|C:\Windows\system32\lsasrv.dll+17bcd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000028463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:32.085{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:33.955{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDF8445D68841F69C1551597DC62B15,SHA256=EA3E6FD3045C5AB6085700271C8375D1A1A9EFA5F92337844A411CA4148ED331,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.171{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51732-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local445microsoft-ds 354300x800000000000000028475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.171{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51732-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local445microsoft-ds 354300x800000000000000028474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.167{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51731-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local49666- 354300x800000000000000028473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.167{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51731-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local49666- 354300x800000000000000028472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.166{AF4EC832-6B63-6442-0D00-00000000DC02}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51730-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local135epmap 354300x800000000000000028471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.166{AF4EC832-6B63-6442-1400-00000000DC02}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51730-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local135epmap 23542300x800000000000000023334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:33.530{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB3A43055DC130821878D26162421369,SHA256=D2B4A8EB2DD6125A83840EFAD772F0FE2201744889BDF3789788FDC027C0ECAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.074{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51729-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000028469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.074{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51729-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000028468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.065{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51728-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000028467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:30.065{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51728-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000028466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:33.054{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE9E51512C552B4C2F67B00B68067173,SHA256=75BD79FE76FF56FE31098BC61A26167E461F4E407CBDC179F10A543BDB32F1BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:34.987{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8EAF46B2CD54166B1155AD7F20C20A4,SHA256=6322CD98B468D8BB24C4ED5CED8E027CB6F64AEB6B9B0EC304EDE9FE32A1BAAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:34.576{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1259DFE276C09E8010551BD87475F8ED,SHA256=7453C469C4AE4A0F36D755222BBB09A08BA971CB032C3CA76875FEFEE8EBCA1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:35.610{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DA09D769E1B8B6F9640C5F217085A28,SHA256=07C578ED3B2771261ADD7EC4E0736CFBD72E4E06186F07A5AED8FC11E7362A03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:36.747{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73D3279702E4FDBE63D818EB7A22110,SHA256=9CCF433F21D153EA66810269F3445D1AF3D3E63EB6CC3CBE6EAFF5C2B2275BC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:32.263{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51733-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:36.056{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFEE7D918B168F4DAD1F48B5F89F653,SHA256=C52B9352E7098CB3580CE95F20BC833DEE01BB8101D5D87F9A9C9E80634EABC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:33.367{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50505-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:37.849{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA91D30296641D853E9939DE1488EA2D,SHA256=76B508D2F1469BD3AD354F92CB90ACE98ED5C870FD7A324BE325ED2F4EB709AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.188{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:37.088{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E40AE13CD7D90D7B7A704A336FECA5D7,SHA256=C05F48447A2B93FAA663CCF9FEA0A42D5DCE2E04C0EF360A4579364DE92B29FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:38.981{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79F7FCF0FECD374F79EB6BEEC3D0FB80,SHA256=4F5AFD2F64843F722DCCB9F593BA20F2DF7E111236DC131FA837E1D53D9BC1DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:38.174{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BAEA9702EC994667FB7F1E211A463AE,SHA256=EAF53DDF2DEDCE9754D135E069FFAC9A2122D174B7E03614CE1D352BC39C7496,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:37.230{223CB5FF-6DDE-6442-0100-00000000DD02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse65.49.20.67scan-18.shadowserver.org19888-false10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal5986- 23542300x800000000000000028514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:39.208{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6AFEEC1633EA7E35AB622AD1B1ADF3,SHA256=F86D6506A30AA4218898C984E276254F40A96D91C6613A06707E9DC6B45B25A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:40.117{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B275B3ECF16F3E1471EDD69B7B52A1,SHA256=7B2AAA9E7C062CCD608BBAEC901B59A278772B9BFA0A0BD83CBDA5D7AEAE2A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:40.260{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B088956DC754E4DA99F77DBF62B71796,SHA256=E06E70CD322B8AC9A4BCDC3CE12C54299155D95A2C9F1488415FD2DDED9D191A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:38.491{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50506-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:41.151{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C4DE97A093E4AB1CE3C677620A5189,SHA256=F4A1D07F4CDC024EA68115735AF11E14FC88BA1348B48EA7AFA1719C7CBE1BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:41.376{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F54ECDED2BCB83B6C0FC7D01595A1A12,SHA256=4B77B466DD16F4047235495DB82E803594E3ADC7B237DC96D9C55A20355EEEE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:42.216{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37D345344656615E2485F959B55714FC,SHA256=CA5BAF66B8E06F98C9A9877F0418657ED9A6DD23E36FE80B54770852BBD06169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:42.393{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1BFD10749775E4EC10733CB7DAE832C,SHA256=8ADBADED87502EFDA632CBC1B509BB180980259EC7638861E704D94F39AEBF05,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:38.236{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51734-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:43.317{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4F6AF79930928311398FE8E893AC92,SHA256=EB4658E4B6643F4ED4B90AB05673EDA198C1692DBF44C97FFF23D5BD280627CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:43.894{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6BE4F77FF1AD7D648025915E783C5BC,SHA256=EA31E345B0AA95C30BD8BA4A0DB2C17803B3E6588AF94C79B00681DB5F2CE55A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:43.447{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313A856AC4F67A95880ECE3F02E98E72,SHA256=8617308159C94A10B19C0325DB6566FA49FEC38084CC334A12A3A19EBCCE63E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:44.579{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F14037A02498A9FD22FF770F3CF623,SHA256=85BB8D38C7CCC849B8089AE41FDAA7DF26F3C34099C1A59C831EE40830989A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:44.440{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B9CD2776AE5CFBF5D3E41AB2902195,SHA256=C4CC9AB040F16FDF3C5C779E77536D56E6023665AC73908A1DAE9A921C1A7B73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:45.502{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24856275B59DE0755E8E0EE743D06782,SHA256=1C0E7D8F3F24C466544F7D09312629F26D3AF69902CFD88BF25C767238073AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:45.641{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5BFE82492EE52C19FD116D58E5C319,SHA256=D794F1F0F32DAE1D46CA35A883AD2140317E47D0087F1024F2ADAB6828068043,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:46.732{223CB5FF-718D-6442-6A01-00000000DD02}35963148C:\Windows\Explorer.EXE{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+d30b0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801B85081E8)|UNKNOWN(FFFF864080E77DA8)|UNKNOWN(FFFF864080E77F27)|UNKNOWN(FFFF864080E725B1)|UNKNOWN(FFFF864080E73F7A)|UNKNOWN(FFFF864080E72236)|UNKNOWN(FFFFF801B8176D03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d690b|C:\Windows\System32\SHELL32.dll+11d7ba|C:\Windows\System32\SHCORE.dll+33fbd 10341000x800000000000000023351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:46.732{223CB5FF-718D-6442-6A01-00000000DD02}35963148C:\Windows\Explorer.EXE{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+d2b91|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801B85081E8)|UNKNOWN(FFFF864080E77DA8)|UNKNOWN(FFFF864080E77F27)|UNKNOWN(FFFF864080E725B1)|UNKNOWN(FFFF864080E73F7A)|UNKNOWN(FFFF864080E72236)|UNKNOWN(FFFFF801B8176D03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d690b|C:\Windows\System32\SHELL32.dll+11d7ba|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:46.732{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF33094e.TMPMD5=1F4BD192F37F455E666A6F524978A45F,SHA256=3DEDCE8C8A9850C8DCE400D84B20A73ED72ADA56B93AD8EDCC0D71F32CCC9E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:46.593{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FFAD9722727932050A193814C67F527,SHA256=F4EFAB9EE15CAE7191CECA0A38E543AF1A05A802B7FEBF36E1836FC9E7726374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:46.665{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB139D7D14486285948E91CE5EC7D49,SHA256=335E992115A86768FF38625DB2251F81E356B344E3BF3CBB8D727A1642A14ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:47.609{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7A376779E7BD4785BF0E3AFD9404B8,SHA256=9CD3D0A304FC8CCFD5DE38141BD68204BA6C278957F7716C6CC176512CAAF8C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:47.682{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10DF68FEEC4D36790089BDC595F1F75F,SHA256=F964306DB59F9E5361809B4C2C52A1AEA62F39F5A0F941B05DFD6BE65FFF354D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:47.682{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=430794BF53DC1351BADD12B422D4F81E,SHA256=0A1BAB2D4E46C1032243355D4EFA520A69ACE44345F4C0EF8EE20E99EBF856C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:44.446{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50507-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:48.650{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4689516898C72D8D285D69330B0BC32,SHA256=C573485DE1514C5CBDADD5CC6E510A7EC0D17BF37952CDB23397892002424727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:48.715{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C04C329C40EC9E08765884D001C4E276,SHA256=20EDDD2033447C74A2068EA6FA7A792D1E4EFE90C93C0A5FF7E95991C1FF7A73,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:44.191{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51735-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:49.780{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA98BA208B5531AC40137626770B7A73,SHA256=E74FE046360879DDE44F52FA7BCB1D3F207C9E5AF62FA51FD04C58B4F749ABFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:49.765{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C0E18D19EFC9174C51232FE0B69B0F8,SHA256=9C2DCE221A412474E5A31E6F5ABF5435E0A4050F01B08DA8FA8849B030E2DDE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:50.884{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21BCFA862D14DF7034EDA2C4CCB1F81,SHA256=5B2A56CA5BDB3B8D2ECF54100329AB6DEA1F85CDC5CF5C06DB56F8C8A1419265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:50.895{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B160998D972270500C68B6B926332A,SHA256=37637BD0AF937D447EF9BA2E4BA8CFCBBFDFB608C8F16EDBD979FFB26592C523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:51.916{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3D32FEB272A3E2F1F1FBD76BB5504A,SHA256=07069A3315E65921F8B0C8D29D1AB15859F67D028697990433923122B26195D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:50.391{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50508-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:52.012{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D17A6C3918355944FDBFCF3AFFBC799,SHA256=5908D3A97F88C2BF2995C768927EF4C80571AB90406BEA50FF5EC5D43E16B5D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:53.035{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30416FB675152E9C71AD67D39DA6C902,SHA256=11B7E6D66784047302D7F2D9D60C8FD8F771FD69E7F547A02F0FA583809E0607,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:53.162{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09912CEEF0545A401AE9329EB4A04A63,SHA256=AAD56252D77D0225FC5320E6552F860713CE21437F084483B7F7C18898C47296,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:49.324{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51736-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:54.087{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A062CE8992AD7C83E3D4A9C0D379D400,SHA256=B7A3A46C436E4DF23D29982CA513F1189C352F75DA23500DB7D171A1266EC22C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:54.211{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E57485397840B261332347E09E88216C,SHA256=922242EC292B3D5DA3360654BAF0F5F9FB0C9E1E4BEAB9BF860D3D55D7558A5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:55.188{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F51BFF114A9DE122DEEBC1CA286F2CA,SHA256=43D59BDBDAC365C081F908676CB41882C2526D1B7961376A7947D601F0259540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:55.276{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ABD758BEBC448F15C322E3A22729393,SHA256=E3046A6CCBF7D384ED27A7577D44AC152AA9043AC4C6B0AE1EC7F3E4EBC8EF8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:56.389{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7AF8-6442-2703-00000000DD02}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:56.389{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:56.389{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:56.389{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:56.389{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:56.389{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7AF8-6442-2703-00000000DD02}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:56.389{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7AF8-6442-2703-00000000DD02}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:56.390{223CB5FF-7AF8-6442-2703-00000000DD02}5424C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:56.238{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394F1B48072282EEFB98D5B705D05A9D,SHA256=03B55315981DA2DED465CFA766DCFF04654D3DE55B225DA37364A5C47EA8D433,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:56.409{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8673D999BBAFC0AB97DD51FDF78D66E6,SHA256=E69C4E619497E541E8A803F81D2B4F1A57F410FD6E53C559F525DE5ADDA2A5E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.807{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7AF9-6442-2903-00000000DD02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.807{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.807{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.807{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.807{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.807{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7AF9-6442-2903-00000000DD02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.807{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7AF9-6442-2903-00000000DD02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.809{223CB5FF-7AF9-6442-2903-00000000DD02}6288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.442{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A22EF88D46D76677D8A218A250E4E10,SHA256=B3D44DA89404D51D829737D3E6ECDA8A981F1AD99D931C85EFD19CE18C58ED19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.346{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA9DA262CB1BD0330407A2EFBC3CBCE0,SHA256=3631D382825B17DD81D40C889FD61D9F8754A19F2FA57FEA9364E3D1C8FFFF91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:57.460{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F23CB3DBD3C97CB317996C6B07DD9D36,SHA256=239AF3DE4161F904EF295BC626D145E733C753E88431B6319EB2C0C1B3CCDF7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.290{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7AF9-6442-2803-00000000DD02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.290{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.290{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.290{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.290{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.290{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7AF9-6442-2803-00000000DD02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.290{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7AF9-6442-2803-00000000DD02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.291{223CB5FF-7AF9-6442-2803-00000000DD02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.824{223CB5FF-7AFA-6442-2A03-00000000DD02}69325248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.644{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7AFA-6442-2A03-00000000DD02}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.641{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.641{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.641{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.641{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.641{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7AFA-6442-2A03-00000000DD02}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.640{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7AFA-6442-2A03-00000000DD02}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.640{223CB5FF-7AFA-6442-2A03-00000000DD02}6932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.523{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84D4A9A80AFD48AB675EBEEF38939AF8,SHA256=C346FC88219FA740E48C549505B11E7DB1F67D7BC11F45C23BC464AB47EE82C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:56.397{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50509-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:58.537{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CF1B664C28A109671DCC87FEE03D8B,SHA256=694F6FD0629B14D104DFB689876384CC9B5D07A7D4E1A4CEA92B97EF5D410FF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.263{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=339EAA621F68DCD70925E0B5DC86113F,SHA256=B674BB38026AB8B03BF639D23EC456D2511E7C05007B670942CCD35D7978F6C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:58.007{223CB5FF-7AF9-6442-2903-00000000DD02}62885676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:59.628{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D93858FBF7F6FC8A748B65DF88391E,SHA256=65E479E18A31C4B5F0026F8A65B3C964328CBCB3426D35AFF6A38FE6F3A4E0A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:59.710{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD2E6BE33ACD81A59C13E43F1016FAC7,SHA256=1185C410FEA337EAC6F1D463516C5C3BFF6B9A54FBA7433068255BE2F0DB898D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:59.608{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E082F082C554F5505A8F827F9C9B90E9,SHA256=A3A1091795AA4A369D22C178378243A8EF3E16A499D1108BF3E14780244F3734,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:59.497{223CB5FF-7AFB-6442-2B03-00000000DD02}65365404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:59.324{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7AFB-6442-2B03-00000000DD02}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:59.324{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:59.324{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:59.324{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:59.324{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:59.324{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7AFB-6442-2B03-00000000DD02}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:59.324{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7AFB-6442-2B03-00000000DD02}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:59.325{223CB5FF-7AFB-6442-2B03-00000000DD02}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000028538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:55.167{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51737-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000023423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:00.929{223CB5FF-7AFC-6442-2C03-00000000DD02}53126528C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000023422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:00:57.887{223CB5FF-6DE2-6442-1600-00000000DD02}1236C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50510-false69.164.0.0https-69-164-0-0.iad.llnw.net80http 10341000x800000000000000023421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:00.749{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7AFC-6442-2C03-00000000DD02}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:00.747{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:00.747{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:00.747{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:00.747{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:00.746{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7AFC-6442-2C03-00000000DD02}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:00.746{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7AFC-6442-2C03-00000000DD02}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:00.746{223CB5FF-7AFC-6442-2C03-00000000DD02}5312C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:00.729{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0C1E92CD0C2F35AF2DA0C2BC6FD889,SHA256=16117A7A733904AD9CCF6C5BF8BF64AB1018C578F1E778B6DE507DE2AAC17890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:00.742{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144A797275388EECE1282E06442F8D7B,SHA256=00DCB5487BCE5B60CF1BEAE01C1D90DE7E48AB285D1D6268242797FE5482F052,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:56.993{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal56153- 354300x800000000000000028542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:56.613{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51738-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000028541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:56.613{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51738-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000023432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:01.811{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F58449A12D5F8B58FC9037CA0205BF,SHA256=3CD3CE8C64D939142ABC89786C9753B27589287ED34094030D22A7FE95275EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:01.774{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37DFB5DDDB7F29E91F4EE67640561AEA,SHA256=09AF836D5BEB0F60A00D03827558E7C1A5AE6F8A8DE9CB6F3D3B74F229F87CB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:01.415{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7AFD-6442-2D03-00000000DD02}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:01.415{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:01.415{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:01.415{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:01.415{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:01.415{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7AFD-6442-2D03-00000000DD02}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:01.415{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7AFD-6442-2D03-00000000DD02}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:01.415{223CB5FF-7AFD-6442-2D03-00000000DD02}1224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:02.917{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA42943FDE8C0601EA20C0140BFC1A2E,SHA256=0CBB25BFDEB9D140153AB40B3BD0540903E1F070DF5DABC669781B046C5976E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:02.842{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0533DCFC96996F0125E89654A59AE30B,SHA256=7A22A0A0A7394172690420183158781A689D0079E3CBD6FD70736161901087EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:00:59.076{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal58938- 23542300x800000000000000023435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:03.949{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7369150FE207073E484AB15A7996A42B,SHA256=A99ABE93B972C38D70C5761EF3533CC6562B169945ADE0D8D856BD0C267318C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:03.989{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F222B61B8F74EED40CEC29EFF6352C,SHA256=4893F0E69F38018F29B52A23FDB3D72020F4F1A5C8E4BEBA28253C959C6285F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:01.492{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50511-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000028549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:01.165{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51739-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:05.067{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69471BF80485A93CE268DEED3CF9CAB8,SHA256=A36ACE4AC299A67D3C84FFB6EB5B7673E28E9E39139ADCE691886BD7CFEBE251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:05.007{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FDE711EB895036E028BF0691156BCFB,SHA256=2C45FF4E01FDCD0AA18459C05074ED774C6ABA3DFDF6E25CFA386B6BD29CA8C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:06.169{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C432C8F9A36C3BE4F9A537ED439E685,SHA256=FBF8E05C905E59282F1AE590F8E7AC135BA3C0ADBD262D1A3E631E0A9BCC922D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:06.072{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57917C88500BD1D2C62B39546F7AC67D,SHA256=4B598B634A5F4A2037E1D52301D8B77FAA968D2D6E0F9EFAFC7A850FF1D43C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:07.969{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4AD1782FB25A200B609D6527137A8290,SHA256=E8F34FD0F1F5812407ECC4DE55AE0483D11FAD69657A76C8D1B4BCAA129D170D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:07.274{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F612FA2A39E6969F82CEF2CE5CE8CE7D,SHA256=9F72B53498F6EC37B5D3D70820BF5BB68659C2DCE32F3D1874DACA34587C1A2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:07.206{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA12F455D33998E98710C6B3A88E1C4,SHA256=2B3C19740E5212DD9294E4AE4F01C1AA0AE692577240330D71EABFE4557E6113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.406{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44D8FFB77333BB2B6B67AE075450055C,SHA256=6F6A43664E2FB1A6C5DEAD1C36F6E69E8D2DD8D1D53D944F784FE16B2AC35BAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1A00-00000000DD02}1928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1A00-00000000DD02}1928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:08.321{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:08.371{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B17F035A33421AF422809A3FDED5AB65,SHA256=01030AE14BB95017686DD7B85DFDEE45E9355D0C7BDF94B7C59F45D2CF5FE43F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:09.753{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BBAD0BFBD2735276859B20F26791509,SHA256=72CDC2A197E20C774B01F6352DE064619B4A008E4666E751AD0365A655163107,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:06.182{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51740-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:09.503{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80B1D677193802F39EE0CF85CF54C366,SHA256=55B9F6A2874F2F256896F058F8C3F00F07420F60081889E9024E7FA00BD94F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:10.820{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ED086053424BACE7D6479732C6C19FE,SHA256=311CD9EB469FC17F7B3412257C9DEE4B5119CBE2C0FD6CE0D90634A8196CE53D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:10.585{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEBF916147CD54F320A53162656FABE8,SHA256=FEBBE9ACB909E97AF37D66194ABCD8739CEC5168EA5C6A8DF693122C48D2CC6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:07.528{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50512-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:11.851{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D337A38E762B28DD417F421489E08F,SHA256=7EAAF002F065E22F52DA7F50433E703EE8096C660925695110DA3952DE2E9543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:11.653{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD3691F4B8BF9A6ED3B290A7B5D0F34,SHA256=1E0F3921B7FAE2B030D1C0C6ACECEF6FDF258A1DE53959D21F4D7EFA80A9FF0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:12.903{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7EBD00FF2EC49E09D010F6F32F47F29,SHA256=69861DF83FF8E2F6F4B1E1708A99A1EEC7D9F250224C4220E3FFC04E6679BFB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:12.701{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC525A686596ED4C31DEC0B19F2968B2,SHA256=37670B3ED456C05D94C954C37FC34CFC08E51EE1EE68D9EA0B65F72BFD68F5A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:13.802{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E4F9E592812841E46CB27215A64969,SHA256=4A516AB6562A15B4542FE13EE0ADA77560ECE398CEAD535C3DF65F6B9F387AB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:14.937{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B0A-6442-7B06-00000000DC02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:14.930{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:14.930{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:14.930{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:14.930{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:14.930{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7B0A-6442-7B06-00000000DC02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:14.930{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B0A-6442-7B06-00000000DC02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:14.931{AF4EC832-7B0A-6442-7B06-00000000DC02}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:14.852{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1491E185C23AD260063C32C5D5A4DCF,SHA256=3F3557B832709D2616E7D052309F195109B3BBC4452F51F9F07EC0BD6898F9B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:14.033{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2CCDF2847784C0DD6966EAEE54845B,SHA256=1DFDA59896FA38FBB83CE7ECDA5D9B811EBB136E4A4D743ACA9F7A274DAB2D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:15.983{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93DD21569D89E336D16C8B97067A0FD1,SHA256=B4ACDB9D3E66E554B2A2205D0C82737C35E120BE8CEF1136D8D6541E3304C20F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:15.148{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9832054966F782327BCB521AC5A774E3,SHA256=265B471C68A9662199D9F928FC5BF60196E0A332B15E895420BBF0C4702E7ECD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:11.205{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51741-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:16.287{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC64A26CDEEAA1FDBB67567D1697FFD,SHA256=4E104D1BDD76EDA0C4858D58CA63D491E65B2AF6FD8ACCB7A72FBA27CF8831D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:16.229{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE59B011886AB481F5ED601E79CDEA3F,SHA256=EDCA552CC6FDCDD0D3B60484A68550CE76BED3F10A24F73D44414B555EE128B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:13.424{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50513-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:17.347{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E039078B3A0AC80BB6CE82B61C46EC,SHA256=CCD37341023ED4C6424FC01ED600A11305349C899F7F775EAEF599EA7D1ABADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.952{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=82210D074B78CA41D606795C15FAAB9F,SHA256=91A973B76613D5C7F7714DC5DEAB21198CEBAF1CE6C5BC80FC202ED6242F5882,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.675{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B0D-6442-7D06-00000000DC02}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.675{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.675{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.675{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.675{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.675{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7B0D-6442-7D06-00000000DC02}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.675{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B0D-6442-7D06-00000000DC02}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.676{AF4EC832-7B0D-6442-7D06-00000000DC02}6080C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.424{AF4EC832-7B0D-6442-7C06-00000000DC02}71045232C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.166{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B0D-6442-7C06-00000000DC02}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.166{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.166{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.166{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.166{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.166{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7B0D-6442-7C06-00000000DC02}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.166{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B0D-6442-7C06-00000000DC02}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.167{AF4EC832-7B0D-6442-7C06-00000000DC02}7104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.028{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515AE0DC51B84298E3F037D2DA052EE8,SHA256=4F0497BCC36D4A90612039F272254B461A5B0F561DD4BD94795E1AD221883A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:18.463{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC752BF5988AD06AC6F54BA69BE9BDA4,SHA256=70D52E2918BE3AB3AB0BA3C37F520611590DFFD5280D5F62AFA21707F184B908,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:18.536{AF4EC832-7B0E-6442-7E06-00000000DC02}15244732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:18.352{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:18.352{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:18.352{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B0E-6442-7E06-00000000DC02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:18.352{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:18.352{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:18.352{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7B0E-6442-7E06-00000000DC02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:18.352{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B0E-6442-7E06-00000000DC02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:18.353{AF4EC832-7B0E-6442-7E06-00000000DC02}1524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:18.158{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=010224F4059147E407D177CFB580A932,SHA256=6FF8EB760D5AA87E9AC2257E0C9ABA9C8F2A8A1CE6735053E1CEDD308CF0886B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:19.529{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F518EC237F9249FEE870133A7BA4B9B,SHA256=6B34C36BAE1E7AD66D3E83CAD506D2A2020B9CC544BF02748DB81A1B02849E52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:19.513{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:19.950{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B0F-6442-8006-00000000DC02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:19.950{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:19.950{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:19.950{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:19.950{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:19.950{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7B0F-6442-8006-00000000DC02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:19.950{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B0F-6442-8006-00000000DC02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:19.951{AF4EC832-7B0F-6442-8006-00000000DC02}2932C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:19.458{AF4EC832-7B0F-6442-7F06-00000000DC02}37162124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:19.273{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B0F-6442-7F06-00000000DC02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:19.273{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:19.273{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:19.273{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:19.273{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:19.273{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7B0F-6442-7F06-00000000DC02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:19.273{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B0F-6442-7F06-00000000DC02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:19.275{AF4EC832-7B0F-6442-7F06-00000000DC02}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:19.189{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B7829D9E2C422FCA86C77F438F24337,SHA256=FE50A4305FC24B13B0F549DDD9D38F3A16852A0FAB756B80FC31AF5D79E5C48E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:20.564{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE22B02B91005BFBCF5C8F9E3B4B6527,SHA256=FCB4BC44F2FD8D6F6AC181D77D5DFCA2F1EE8B815676872A7A91B60CFB39C8EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:17.226{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51742-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000028628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:20.789{AF4EC832-7B10-6442-8106-00000000DC02}58206948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:20.589{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B10-6442-8106-00000000DC02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:20.589{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:20.589{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:20.589{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:20.589{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:20.589{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7B10-6442-8106-00000000DC02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:20.589{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B10-6442-8106-00000000DC02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:20.591{AF4EC832-7B10-6442-8106-00000000DC02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:20.329{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B50C95F822F1B6FD2C1B7481EEE0655,SHA256=F5E43C1CEA84F41E750D34C2DCF1EA66677F110110B8402EBA23DC6AD6847B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:21.612{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F497D682E098C96F5E547E3F65C16CC,SHA256=22BAAD4BD1A386C979169E29F47B09DC271CE42B4722046B7A63B0EABE9B8DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:21.473{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDB1C9E0326BF62DAADC958A058205E,SHA256=AB263949E1775E12A20DE6E1D6865D9801BCC4C5B0DA100113FB21C401B42E66,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:18.760{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50515-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x800000000000000023491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:18.520{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50514-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:22.742{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D119BCBFC75FEADBF9694644870BFA,SHA256=55CFD522B5E1EB875E28FB49F761CE59FC37E8C9C0A7A937C50C8285461AF0E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:22.521{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D728A2CB7FBD965FDD583E7C46912050,SHA256=E260CA33A2FC6651738AEB43E806498ACC6773FEB774763075B8558B08D97870,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:23.781{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88175276F7DEAF36FEA24CF927738427,SHA256=02BEB00618E33D1D7C271254F46233CBAB6C5AF8FD98ECF7B5C6BE06AEA48586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:23.554{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F979CA9B4C48BAA2911BA621873D6A,SHA256=C46611B2B883A6F0FFC3D9C8BB782EA708B90BF9E92B4742594A0EA63EC664CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:24.809{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C4D131DD446EBB72E732EF74E135364,SHA256=A5CF178FED98CA9CA8BF67337AA632676DB17FBF57AEE6457DC1732191107844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:24.692{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=715A0155144CBDE7673BBD709A8518F2,SHA256=4CCA4680AD35D047D2539584257375102049211944E405F12821B0E8F04D8F0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:24.030{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-064MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:25.879{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C5DFF4CFE1942F00463FD2921141BA,SHA256=89D7530CC29F1330B1E7189D58B47FC4DA5D75AE76712B0C5014A10EA8ABF156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:25.853{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396B98454A6C8E32A7A98B969551A2B4,SHA256=8C2BC5BD69073B8F74AB002ADBD9F1F315E173E4847AE1D6EDDBDEABA0E0CD87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:25.008{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-065MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:26.923{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045647C89E318BFFB90AEE159CD2759B,SHA256=49F80AB71D444226E69E780BCB23DA235D63A45DC66B35D74B94DA38D9CFAC78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:26.907{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A04FE8BC4DC6E0D4A0E5A61EF84FC3A,SHA256=B748E69E27F82E827A0AED38CC1887DFDCDF6415A2EA9EB5B6238EF4BDE8B9F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:27.952{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7E5543DC29CCA86B6231EB9DC91A1E,SHA256=AAB948100EF3ED2DF287751C4DE2101FA8292F5261D466F123B8CFC605EB5C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:27.562{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=090A741F4CBC3EE819F7BEC30C74DD0C,SHA256=AEFE46F5F0DBBCFF4ABA42D7F4011705B2DAEB3AEC750A524D6A26A14D3AE530,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:24.515{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50516-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000028639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:23.135{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51743-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:27.675{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:28.976{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB1285BA6FF101EE3CA71B54544ECF1,SHA256=C4807A22865061638B5D623277B81DF2DBE322245353C3F97292EB87B95C0D2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:28.055{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0FB8623912ED30A6124FF0EAB4CB085,SHA256=C2EB0369092D87DD25D14879AA46C4B5212272CC170348722B43F414F0E022A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:29.121{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB37A076A5EE858BFE4F4603F370DCAB,SHA256=49075CA2B01ACEBC1DC1E98DAD58C31F61CDBC0D617198D9B92760858B471C1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:25.727{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51744-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000023503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:30.236{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A1565330C4435F66B110A839B68814D,SHA256=99B7674A40098D82F208FF735C9A115036B3DC47112FE2C12F2821425E8BD639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:30.352{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=216162557B1524191B77FCEAE46861EC,SHA256=90AC90461E126D9AB08B01B6F1D07FD083528D68BF1CB150B64456EFF0834ABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:30.023{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FC920C99F8D2EE251933AC309BF68DF,SHA256=9EE30E72A14635AE8B86D7ADC91D53664485885C335382ED10374E0635531550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:31.303{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF782B427CBE78172B3D63999FC6658,SHA256=FE9A4D803F98D437EC6163D777A6D59854C0C824705C9E1BC2FC8EE6EE400023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:31.089{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F20D5B2A59289667FC725F416B0E66B8,SHA256=8FF049DED4CA9FAF3BAFB121CCDA998CF53F8772FC326965F85B70219416E915,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:30.363{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50517-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:32.351{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F41BE21A3F48C1999E7D961FAF1F738,SHA256=D2E977E5D872F5669B27F314B145B0C323C64B286E71F03151D53F2CED6328CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:32.158{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F12E60C3EA85B97D471097E01AB0F770,SHA256=6D8D536A2C93501F476EA548E8FE05228A5F1B1787267B195D2BB3620522B85B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:28.264{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51745-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000023510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:33.702{223CB5FF-6DE2-6442-0D00-00000000DD02}7927048C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1100-00000000DD02}968C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:33.702{223CB5FF-6DE2-6442-0D00-00000000DD02}7927048C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1100-00000000DD02}968C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:33.486{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C735089FB244AEE5864A653280D03FC,SHA256=6583320F3246509BC9787EFA646D575A93C610E5F4F658A65FB24F8F625E5A08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:33.288{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1110754C48DAB252A551213935E02123,SHA256=CB32C3AF1574A051C9B596A7919CE68C53FE4AFD5CF8F754EE6C2CB4AB1A865B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:33.091{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-054MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:34.551{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10BC66F1AAE9365EF435C79DBC427480,SHA256=AF9259D5185BE843BBFC68850128CF08B05388D0D409430EDE41C123C89C45FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:34.321{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BAE06299EA62FDB7BFAC78D647D391D,SHA256=641D3E9FACB26CA177D9DBE9545C51B8102612ACBF646CBB7980EB7AC885EC49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:34.103{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-055MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:35.673{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6497397B0319C4AFECB8D0591E7AD10F,SHA256=86FBCEB53DA396040B6A2AB16734858C174F5757DDC40F6CF01EFFD68C532E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:35.372{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF598A4CA9D995A684F617E2E6CAC062,SHA256=1540D65DC8B4A695FB7914BFC053E33C36AC75D8456B6D1F1C4CCC9E51F5C7DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:36.716{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AFB72ED952FE14B103B0894E900487B,SHA256=06A26140219DA760E0E3FB9044F90A8453B84839616E7D2B68D942B9C248EF6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:36.419{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C096C4BE3D4383FB4EBF24F846B9A9,SHA256=A78840E9FDCDA8058871BD2701CF00A1E742CFC9A0FAB762680A69100793C051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:37.871{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C743D7588C93D979974CB16FFCE9E8,SHA256=83D040066E131F389EAB7D47FFC022479CAF9B793A9BF1CB71DEBDFECDC6D7FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:35.447{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50518-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:37.485{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46CE8F9F7283A40DDF22D1DCC1E9746,SHA256=174738A2BDA83AE91E49EB717BF046E35903523EEDACE697EC6EBC68078A2F26,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:33.323{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51746-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:38.518{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008D9B67C49C6BF0135D6CA0E83DA127,SHA256=4D363049027CF86BAEE65D513A6A10A76ADBE6DFF3C19BA43D443CAF600F457A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:39.599{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D3F1D0A5091349601240D0CB822C389,SHA256=4383825D5095EA74B46022B5759176A717D1BF0EF305C83C98F958467224DE7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:39.016{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFFA2E626B63061FEA7C41142384710E,SHA256=54311F1D55625E059D6B16BECFD85AD75AC8161605CEC6D6D743C577C7FFD064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:40.645{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47CAC20703F9F180DEF85E4169009904,SHA256=94449921F7B151B3C72D72101A9D441B06100313279A8631AAF9DC942506BF64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:40.148{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E329B34A456BA366EF25BDFAEEC1F6,SHA256=A49F81566867ACE6857A6E6FD95500AF35FF6605542AB4F4D695E941C208EF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:41.782{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6AA9D64B76BB0E5894B8FEA845C6F39,SHA256=944B90D88CE6B68779C5710101C618FF5E388160FF8B2EDDA748AB79F21D23C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:41.271{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B9C3FD692BBE62D3E89CACC3A9B51A8,SHA256=62DBC39A73EC2848385C4C6E73C7841ED1B0E4286B0A1C68645E6FE28C924001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:42.814{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACED68D8D325623BFBA5A074A1A4D5CC,SHA256=B02CF390E30052E5CC5D4C687B9FB13D6248B0178EFD9995AED3C72D93A0229D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:40.474{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50519-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:42.414{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F40CFA8918033EB3EDBF301630B6B84,SHA256=C5F11A9BF32A6C04444B99869BACE818C244A908F5996FC04E3B6CA99CD75BE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:43.482{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FFC5FE32D8399A41C47E9FD7C98927D,SHA256=C3A8256CBDB3EE6C89E7FDC3CF6EF84F23BBB404037187A540718E4BA87ADB0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:43.896{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36A8DCF368A7D1F8F612C424F9472292,SHA256=EDFB6EF21A56B72F4351CAF75703D196C2698CA36B4A3188B7D69DDED55EFF74,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:39.125{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51747-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:44.942{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B87480FDE02490E77DC873447DA8188,SHA256=A081444BB231958333344DC332BFE9FE71FC0FCA5D6F46D8B9C759F47BC4230A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:44.545{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139C226AA3328B9069B8976226CE8B59,SHA256=9B548697A75A1E5762DBAF632FA600ABC2B8B5307F2CD712CFF8E31AC17946CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:45.979{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0C63ECE6BDFD460F76F92CE0101CE4E,SHA256=EADC15AB88EBCF8642BC683E5545FBE5EE32FD2BE2A40E331E59F8B4505AD061,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:45.611{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CFC493BC9ADC9FB89AD93FCF446DD5,SHA256=F2A7DDB317E5D3569CCA113162416BEBF7A24D9E672587773A4FDBF5BB792077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:46.679{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=094DAF84BCCED6A0528C0D28A1846B0E,SHA256=8DF5DE650926FE87C255660F108439A9F7A5534A4E5A28CA578720915815B072,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:46.640{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1500-00000000DC02}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:46.640{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1500-00000000DC02}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:46.640{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1500-00000000DC02}1148C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:47.711{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B851479D89E1414DD6ED9FA6FE9A0D0,SHA256=3B4A8DE7B7DE8EC0BF0F67B69F9A45F73265B591B90E64C7994E44118D6A962F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:47.493{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E5FC31C5CDCC59F6852082A40978621C,SHA256=F31FA55D10A8CF32F2035C4F0BC7BD2BE08440AFFD9F0AD32434BE01EBF0E1A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:44.287{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51748-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:47.040{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B29BEB0525DDEA954BE2C4D6F1F592F9,SHA256=97810933D7EABC075420436365BD68725D11B2F3DA02F1886E452107190EBBEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:48.727{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186C8ED3CBA757883CCCCBE1E76F6866,SHA256=B32AA6AA1ACE09B2CCA8F94C09FAD539588B805B156AD67A7ADFB9D27D2CF158,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:48.077{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=394229BD988929817E72FE3ACC2E618C,SHA256=E76CC11840A4E61197D62E8BFCC83B906CC72F37A89B3927B3C303CE3F1393DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:49.798{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25FC16EF4E5C94EC856D36417286D628,SHA256=D1C7FEBD0057ED4AEE71FFED22F03598E4E321ECD06C285B62983D66302EE4FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:49.238{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BA355AC8A28F9442A2267497152FBC0,SHA256=F686342322D700F5D1B53FAD16FC800292F331AB89228983F3434CCB5251BA73,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:46.370{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50520-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:50.828{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C2B255A213FCA5BA9ACE905487D48ED,SHA256=BE304BDDB86E9540EB0F0CDE795B3C80304F881EEF8880018EC3925E8E96A8FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:50.391{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ECED252BC59B59DBDFA1C9669396F61,SHA256=7CCC0F41EADC26CD63518C35B8B39DA4FB1CD2B88D7D7B00CAEF66CA67AE9B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:51.945{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A76BDF33C4BA1DB22018FAFE9BC1767D,SHA256=CA685630189638A171C7B6C556B74CD5F4EF33CE7FFCAA7DD51C059118CA85F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:51.459{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E3C797F050F74E3C65B3EEF2DF726C,SHA256=C6BAA81BDFC835004F8CD919668E0BEABCFD6E36359986570891956654975926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:52.980{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC0B9056D075477EBE569FD7F5BE572,SHA256=6B4610391D60B9A2ABD6F4ADB7A678A8746C8F113DD96273C03C4ECEA30639D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:52.575{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB1D8995518F62A98FF8343E18ED3A98,SHA256=E91BA3D842C96A7195FD7ECFD1EAAC9BB6C8B0C2DEABC869BD3D6BAB6D38EF1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:53.608{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C4E8AFC74FD013D8C78F0044714D42,SHA256=627820BCF3A96EF499610A3DEA9B842F7E485A65E77F1D7DDDFA18F094D092E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:54.674{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C97CAF7EC4A9B60957F98D9B3784A20E,SHA256=78889419558403B0EB3B30B4B784E64CA0FF071FAC07DD00667AE291DD4C31C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:52.321{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50521-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:54.110{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB4AA2CC779872A3F88DA870A315B71,SHA256=A827A06889DE21D5F975BDDD6267F7DD868169BF205B1E09D66CBE68F680C06D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:50.132{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51749-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:55.835{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC56E29EB5A110CF143FC119646327A1,SHA256=F9BD271B8A3CED8E271D6FFB13E71F2AA62A93BFF4CB118CC6BE228E0CE8F6F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:55.143{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE936E0B3BE4D5AE3798E9915A820B8,SHA256=6AFB011C34C66AED714653091D10FA7F94A83E7F3F4CD1A010380335064AC92C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:56.935{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DDD63F19362F8036488DC723E4F28F,SHA256=8EBC9E738E7D9B4D113DB109776F5CA2B3928AD30724D8338BCCF664B6BD51F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:56.393{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7B34-6442-2E03-00000000DD02}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:56.393{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:56.393{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:56.393{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:56.393{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:56.393{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7B34-6442-2E03-00000000DD02}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:56.393{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7B34-6442-2E03-00000000DD02}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:56.393{223CB5FF-7B34-6442-2E03-00000000DD02}5516C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:56.193{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF070FA2E8401172688237FD1B78AF06,SHA256=81FC4A6C0D4F78677E474CED8CFF0D7DD8739BC3660C55007E45B7A5D722217A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:57.963{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7B35-6442-3003-00000000DD02}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:57.963{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:57.963{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:57.963{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:57.963{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:57.963{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7B35-6442-3003-00000000DD02}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:57.963{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7B35-6442-3003-00000000DD02}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:57.964{223CB5FF-7B35-6442-3003-00000000DD02}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:57.476{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53D89EAB69D1D677673F39A1ABC39A86,SHA256=31CBB4F31AB1265B05A0DF6368709F0910E75FFAC08BB2EC924A59B4D9CDAD55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:57.463{223CB5FF-7B35-6442-2F03-00000000DD02}58207064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:57.308{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7953D9EBA4BE167D65638325A969AB70,SHA256=C1B1A2DD8E890E03199A2B88CFC78BEA4B1685EAD8FB64EC042CF0BB3F2C3DAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:57.292{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7B35-6442-2F03-00000000DD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:57.292{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:57.292{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:57.292{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:57.292{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:57.292{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7B35-6442-2F03-00000000DD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:57.292{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7B35-6442-2F03-00000000DD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:57.293{223CB5FF-7B35-6442-2F03-00000000DD02}5820C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:57.975{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771B05FAA14F0587CC29D688652882D8,SHA256=D3E9E5F8849A9DBA5B66AD5253111EC883E8DE98853F325AFD15947B87052888,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:58.993{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0BE32FBEB48DA4B4FEAAA3C3422F1A,SHA256=1982F852A0156F569CC924C74072DEFAF489C13C345F91106DB82A6A200F3214,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:58.822{223CB5FF-7B36-6442-3103-00000000DD02}68806872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:58.644{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7B36-6442-3103-00000000DD02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:58.640{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:58.640{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:58.640{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:58.640{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7B36-6442-3103-00000000DD02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:58.640{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:58.640{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7B36-6442-3103-00000000DD02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:58.639{223CB5FF-7B36-6442-3103-00000000DD02}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:58.407{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E945A16B37C2FBC1315DF93A0EBAD7E,SHA256=D5A88CCAB4C93C7BE6390BAE41AB180BBEF93045124C4EF0FBE5928480D30E3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:58.063{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=E95A18AD2CFA6B7E3BAAF12B5A24D004,SHA256=1CF8940AD4E29FFD13A2A6760EDDC4401064C9F1F44A3BEBB80D6434E45A3F8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:57.366{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50522-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000023584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:59.510{223CB5FF-7B37-6442-3203-00000000DD02}46762440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:59.466{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70D1DBDA6753120144A6BA603B24CB3,SHA256=17164835337E79CDCD68C0719FA723242E9E05883B5E87E4ED7010381978018A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:59.679{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EF1182CE78BFA0527FA4C8DC5BC5CCA,SHA256=8669FB96263D075EC4B1A1EEE8C1FE39BFE1598FFC2A4E492A399F7F1BA38D17,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:56.634{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51751-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000028682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:56.634{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51751-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000028681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:01:56.164{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51750-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000023582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:59.307{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7B37-6442-3203-00000000DD02}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:59.307{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:59.307{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:59.307{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:59.307{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:59.307{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7B37-6442-3203-00000000DD02}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:59.307{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7B37-6442-3203-00000000DD02}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:01:59.308{223CB5FF-7B37-6442-3203-00000000DD02}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:00.966{223CB5FF-7B38-6442-3303-00000000DD02}67446712C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:00.746{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7B38-6442-3303-00000000DD02}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:00.744{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:00.744{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:00.743{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:00.743{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:00.743{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7B38-6442-3303-00000000DD02}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:00.743{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7B38-6442-3303-00000000DD02}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:00.742{223CB5FF-7B38-6442-3303-00000000DD02}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:00.509{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D59DAA82F3DE67D230B71181AFD5501,SHA256=A842461B9AFEF4F83A4F70A6BF2D7A6D446A14AAF23F2450576315D5B1C4AA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:00.014{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5EB0898F058011B01BAE71E6AFA2A2,SHA256=558AE2965F020EAA1F68916C2AF53468C4F5F2E742002457B5B8F1794020439C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:01.650{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423CFF5ECBF43D006DC202533A820D91,SHA256=8B842BBAF27C18598421B6C3E300280A195BB6A2D7E79FEA4543A74406E51A6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:01.130{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7923B7A78A31B147970C436C5B07F863,SHA256=837BCFDB16B3E7B1D40EF54B041D764E7788FE0450BB45F6AAC34544056FE217,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:01.410{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7B39-6442-3403-00000000DD02}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:01.410{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:01.410{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:01.410{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:01.410{223CB5FF-6DE2-6442-0C00-00000000DD02}728936C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:01.410{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7B39-6442-3403-00000000DD02}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:01.410{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7B39-6442-3403-00000000DD02}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:01.411{223CB5FF-7B39-6442-3403-00000000DD02}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:02.678{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E93001BE3645AADE8E85D997F10809C4,SHA256=21201B9F4E308632F79B8F7822CDCFC3FFC95B24138E591F0F16FAB7BF01F421,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:02.170{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C5CC07D6DDA753CDC909A238CF4EEA7,SHA256=88A35EA4CFB65336F8E395FC7419FEEC4863AA8044EE2064CB350118E774B9FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:03.809{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95CF60FEEEFE98E75C46526D306C41F3,SHA256=5510B5F87887D6C89801539F2918AD1C0FEC4A9B7D38370171BBB02D224272BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:03.188{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520B621A7DF11893259AFBB9A4CDE309,SHA256=AEC506E00941E0F75507A008899053B5F3494FFC675D291BD84B254159AA52B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:04.895{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43292931898DF0F71E76381A9C7AE121,SHA256=73E254715B0C13CE2A2E9CE062CE1EE88F95F4BD6D835DFEC11998FCD4F12532,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:01.292{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51752-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:04.206{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C08C71057C95554F872060587205EC11,SHA256=BB143724271CAA12E0EE88D3BEBB8DC14ED0607BFB145B7E6502953462FF7DBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:03.383{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50523-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:05.327{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=216EF7B66A6D88FDB3A0735E7455F964,SHA256=F38C414356EA48DBDA70DE429936A30F1F433FE34604E443F65B86819BFB570A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:06.026{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F2555FE6D2E2E962EDF875D9E511E0D,SHA256=DD56DD6C195BD6CC19EB62BCC0C34171DF3816784E3D7FEE5BB97D644B456554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:06.343{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6549E0B02E024DF20217DA987B88E674,SHA256=629D951F2C9BBCB9CF1829BCC3F2DB566863BC7A324F8C344879094490256854,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:07.995{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=876E47851CAB0F62A4C7FF2C8E2A18D3,SHA256=E0C296AC43B893F225260AB3F7B613A66604D47FB341A0D26ACB9AA15823EDAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:07.000{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFAA981E6C8ADA949EB0F789E7C6275B,SHA256=EC650F1132C5194BE773B2D94FA40649EA805DE0B293881D91AAD39DDA4FF37F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:07.361{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA6FE9A2D6E974582836AFF6B1AC849,SHA256=6466712520EB0899FD367CAD99E515F2DA88DAC5C7E8F5B4EC6221E7869DFAA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:08.110{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDED6BA16CFCFE7513A3C4D878D1E45E,SHA256=611C6E09B48B46D5EA8B7E6149E3391947F42AF10BDEE8C14B9141E0E2371BB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:08.385{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369838A473F21C0238D524C00CD91EB3,SHA256=D5D60F227AAF4B7E52ECFA7C8F1BD1F4AE1A0D06B112BD43AD61FCCFAD1F429B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:09.403{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D284268DADC74463A5963721E4BD8C80,SHA256=233D699BC8762A2869B26062ED267F45AF5D58299E130032208BE3258D7B126C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:09.210{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2911C61472651557997E60894F5835C,SHA256=329CE5AF73C58AB86A4A073506451A518B7F905BD6D45F26CAB1F374261697D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:08.440{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50524-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000023618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:10.496{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1400-00000000DD02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:10.496{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1400-00000000DD02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:10.496{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE2-6442-1400-00000000DD02}1096C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:10.428{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AA8BBFCD744AB87DDDA16DFDF9EFFACC,SHA256=063938D0EECBE369D996428EDE81B252203C6AD2E3660A5F929CF031B5EC8604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:10.228{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55C32E9B0614546630A713F7B1A9A4E,SHA256=2F4C6D760471D51155DC88A40CD5949F84F006A32387EC3AE974A504E6796799,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:07.138{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51753-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:10.421{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D7B9E24D4F27C3F5991F42C7241C18,SHA256=8D30440CDE795231493749F740840A6B7867503F7675B0FB44BE0CFACBB67C89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:11.367{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A59AFF1B5D4835A1280E98FA34C4638,SHA256=D2951947FA828E7FB904441047951CF8620FD6145A54EB68AE5DF66914152F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:11.441{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=169B21A06F74BFF6B644B731180772F3,SHA256=59C17D6C826F75B1A679FBB08E5CD7063333073B9C083022EF6FF84F55E2B288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:12.396{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4071399B95FD203D62C5FE62C584EF7,SHA256=A27AAC65D954F733CE67C69143C5CB90BEB8F477179BCDAFB5384EB0736012DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:12.458{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=209CB363FF0994C2B843EE689EB1C2E8,SHA256=3F82512D62E0938992F8274EAC317F14DC27EE2E3C7CEF02AFB661F7531350F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:13.468{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1566D49B997F8772E15909548C5B21A5,SHA256=E655F19D91913A2FEE510F0A8A08923FEA6E50AF32E6B37F0A3530A0AFD00067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:13.513{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B66B46F4FDF5DA04626BC69D16F07640,SHA256=E069298A4DC70A990E29A4A49CFF6AA0E3803A2820A768EB6B2621C9C97EE0B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:14.511{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735F325C12F787DA7467ED8FE090B9A0,SHA256=99410E3435BB4E9426CE285EBFE423125FB36A66AED67648CAFB980521D2DD8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:14.932{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B46-6442-8206-00000000DC02}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:14.932{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:14.932{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:14.932{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:14.932{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:14.932{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7B46-6442-8206-00000000DC02}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:14.932{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B46-6442-8206-00000000DC02}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:14.932{AF4EC832-7B46-6442-8206-00000000DC02}4596C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:14.531{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2075EAA6A5FB8954FEEA723B6861DA0,SHA256=0F1230888D1CE9E3C2A27B3AFE1454D26437D1CBDBDFB5EB6EF35B5DD6808571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:15.627{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50166E6E74C4034DBD41BBCAAB88B1F4,SHA256=B7BFCFB2B53F7144F8A3F89D5A91ADB112EFDC5B20754ED175B03AB006DD6B83,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:12.271{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51754-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:15.580{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013DFBBFD1672C7BA4CFDD9AD501D9E8,SHA256=679D8B30A2B624E8A5712D1D8C9DE5437345FA05E3EAFC0AD1A8EAFB8D50BD09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:15.204{223CB5FF-718D-6442-6A01-00000000DD02}35964380C:\Windows\Explorer.EXE{223CB5FF-772D-6442-9602-00000000DD02}7160C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0815|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:15.204{223CB5FF-718D-6442-6A01-00000000DD02}35964380C:\Windows\Explorer.EXE{223CB5FF-772D-6442-9602-00000000DD02}7160C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e072e|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:15.203{223CB5FF-718D-6442-6A01-00000000DD02}35964380C:\Windows\Explorer.EXE{223CB5FF-772D-6442-9602-00000000DD02}7160C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e06f7|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:15.180{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-772D-6442-9602-00000000DD02}7160C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0ea0|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:15.180{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-772D-6442-9602-00000000DD02}7160C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+bb490|C:\Windows\System32\SHELL32.dll+e0e5c|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:15.180{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-772D-6442-9602-00000000DD02}7160C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e0e30|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:15.180{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-772D-6442-9602-00000000DD02}7160C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12c9d9|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:16.745{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E2DDE88B3BC1DDBB0A55538879748A,SHA256=7E26B302FB343B1710749D9155DC10C7FEEBC0C2698CB035FEC5464A9BC416E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:16.604{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=444149516DBE3A2274633AB1170BE17F,SHA256=DA4408067CED4F979E3313C3F62AF4064D3B3153CB224B9A5B05BE210666A569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:16.018{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E1A9B3F8775D08F84512F59A0382F85,SHA256=E776DBDED6329782FD2FF29C2895CE9700F879DA8E685350B84C738FC16EB9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:17.795{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6CEFAAFC5E977DBDF6E3C4BB6DBDD50,SHA256=35F13CAD81D76DF510B5126807B051E5196727D13CE540F2A8312105FBDF7641,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:17.759{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B49-6442-8406-00000000DC02}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:17.756{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:17.756{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:17.756{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:17.755{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:17.755{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7B49-6442-8406-00000000DC02}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:17.755{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B49-6442-8406-00000000DC02}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:17.754{AF4EC832-7B49-6442-8406-00000000DC02}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:17.658{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=739FD17C4ECD740C50D3CD5D82EA3353,SHA256=5F416B16C96249D8580CB80FD0CB35B8FC839F58CABC76ED24B00B095176BBCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:17.637{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=109BF98289132F23BD0B3CD9C78D05E6,SHA256=FB0FFB8EE643D21C20F240CE3B6E836A7BE6360E9C750EF1A196CBEF60F9741C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:14.342{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50525-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000028722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:17.384{AF4EC832-7B49-6442-8306-00000000DC02}61682984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:17.168{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B49-6442-8306-00000000DC02}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:17.168{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:17.168{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:17.168{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:17.168{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:17.168{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7B49-6442-8306-00000000DC02}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:17.168{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B49-6442-8306-00000000DC02}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:17.168{AF4EC832-7B49-6442-8306-00000000DC02}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:18.827{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACC03796A25B764D19E0F2EEE1AC8391,SHA256=C4C88EA3FBD10BFDCD7F147D75FA70DBBCF66B5ECBC78F64F3B47392E93BE54B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:18.729{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15C35EEF0C06D13C5BC8889658366026,SHA256=36C16F98837B0C680AEC73CDADC5E44E3648DA42C418981F048216966EA34400,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:18.560{AF4EC832-7B4A-6442-8506-00000000DC02}23766612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:18.389{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B4A-6442-8506-00000000DC02}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:18.387{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:18.387{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:18.386{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:18.386{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:18.386{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7B4A-6442-8506-00000000DC02}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:18.386{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B4A-6442-8506-00000000DC02}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:18.385{AF4EC832-7B4A-6442-8506-00000000DC02}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:19.971{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59F8107E284B2E375A1D7CF2BC637337,SHA256=11DEDDA718A21789A5B209C554AB17DF2A648EF6AE51994BA1A53B748209C510,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:19.910{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B4B-6442-8706-00000000DC02}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:19.910{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:19.910{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:19.910{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:19.910{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:19.910{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7B4B-6442-8706-00000000DC02}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:19.910{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B4B-6442-8706-00000000DC02}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:19.912{AF4EC832-7B4B-6442-8706-00000000DC02}5504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:19.847{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1AAC2D1D879357450E8FC2ADBAEF0B,SHA256=06C267BD13E9DCAE763A6C354D6053789CD806466AB8556EBDF310684307ECC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:19.551{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:19.446{AF4EC832-7B4B-6442-8606-00000000DC02}69844772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:19.281{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B4B-6442-8606-00000000DC02}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:19.279{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:19.279{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:19.279{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:19.278{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7B4B-6442-8606-00000000DC02}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:19.278{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:19.278{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B4B-6442-8606-00000000DC02}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:19.278{AF4EC832-7B4B-6442-8606-00000000DC02}6984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:20.991{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AED22DB4A7D4F975EDB2E212884982B4,SHA256=6BF1D30DD3C0A22B5530894785DF45011F99CAF2E0FAA51707C3B0B686119F67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:20.071{223CB5FF-6DE2-6442-0D00-00000000DD02}7927048C:\Windows\system32\svchost.exe{223CB5FF-718C-6442-6001-00000000DD02}3228C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:20.586{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B4C-6442-8806-00000000DC02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:20.582{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:20.582{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:20.582{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:20.582{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:20.582{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7B4C-6442-8806-00000000DC02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:20.581{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B4C-6442-8806-00000000DC02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:20.581{AF4EC832-7B4C-6442-8806-00000000DC02}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:20.395{AF4EC832-6B63-6442-0D00-00000000DC02}8964028C:\Windows\system32\svchost.exe{AF4EC832-717D-6442-1305-00000000DC02}1044C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:20.095{AF4EC832-7B4B-6442-8706-00000000DC02}55046660C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:21.017{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21ECAABD98CDF94B563268C4F10F3667,SHA256=66D1783DF480334749825BFE9775AEA80D5D563B4825C90B49C7805795793818,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:22.052{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316F4423BBC599131F1ADB5B12D0E0E8,SHA256=462C58A29A115BC704B2E8B0AC6C0354B90465E954E5F408F636A1A4018BDCA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:19.423{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50527-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000023640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:18.803{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50526-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000028773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:22.099{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7103BB2D77F566650296DDAC1E38BEB1,SHA256=BBB14175E171FE3ACF10CEE945E24F1BD4CB544014C694A058341D038C9B2B32,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:18.166{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51755-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:23.177{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA6AD86E324BFE11390C18E90F47051,SHA256=C8622B6B39BA9143C14BDB2A0D1D67816764402DEF02ECFEC74ED3128DFB4ED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:23.117{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0507998E2AAD67F5694D9374D7FA0D,SHA256=ECD6E8BB855A6FD7B55B61649C9B7F1154179B55DF0D9CAE8ABEAA14D451F16D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:24.208{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE9BA87B9F35F9084293887A3453D9E,SHA256=B1E59B55A4C5B28808F2847512FDA3EA9A7C5C3BE549A0C1ACF38D1931676F9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:24.142{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AB32BEF9468660253FB3F9792FD2024,SHA256=80D475F85628E60F657D8EF4BE851D06DA33D352E024BF64A9F7ADFCA5444B3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:25.242{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0BC8E1F22157048766697FB4DDF6001,SHA256=CED0B65670DE05A7209522091F4BFBB1FB9C80AD08FB5C57AEF0B4509C787EF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:25.532{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-065MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:25.175{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8760DAD029D1EEBA73F2A27110825732,SHA256=211B63AF94C4805DC826786AB20FB758E26DD0F50D262FB341F045EA40CFF40D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:26.260{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA27D497754DC865A4C37B7D2921F6AF,SHA256=2223232324ADCAEA83D65C9EF72DB16BACB44D0BF29FE544A1E4C610E43F0699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:26.547{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-066MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:26.246{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B79581DDAD61B366E307D1A9B769D92,SHA256=3A8F34F49B91323C3D9F912A71FDC84376D6A2060924D6E1C1835F44EEF01472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:27.315{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B4CDD60E8FC0AC593F5FBE759329CC,SHA256=400EF15027FB786807D57C8ACE7487305C7DAB9FEE30311C02FA828A26D492A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:24.457{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50528-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:27.700{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:27.297{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F2014925BFDBE27EA1894FF6C09C31,SHA256=3E81753762E42487996E9963A20CB3F8F540E9E0B22A14974D5C2F89D408B345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:28.333{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=419CDAA50AB226DC8BB2C31D8E5C0E7C,SHA256=E43162EC139BA6A9752887F8463CDDD96879AF01E5E4131C4B49F20103323C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:28.414{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B0D9219CF0E6EAF83F5A00CE86E0C2,SHA256=F35C716974A72D44D1D16BE97AD4B60C9ECCEDCFDFDA74DC81FE54D8CFE008CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:28.265{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1A2EFAA330DE117A249270B987EF5C18,SHA256=1D8133BC46E52194B61D2574320C047A66042586ECAC19851B1B64FD3DF32004,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:24.132{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51756-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:29.419{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9A3EAFE104AA92308852CECF980264E,SHA256=03E552427DDCFFBFD3D2E4502B0712A70D146227D163AAC526B72978ACEBCED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:29.432{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED8A8BA686C846FAE014A5837FBAAE0D,SHA256=41C71443E43197EAC0BE1E1E2633AA3F90E897A011001669E7A31FB4132FCEEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:25.752{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51757-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000023652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:30.470{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE34E3ADE2382901A721B4427B5EA56,SHA256=D98E2B8E4B28D9AABB1AD9F1559C7E5C11F3FFF25747C77A0387829B37B04599,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:30.456{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=611BD49109BEC36287B1FD9C08F8F9A6,SHA256=DBDF84EBE840BC9A7161F009B7D77FEC7400128D3C1414B4547C6A5356B6FC53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:30.355{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=59856C0DFC38E2DA6184F16ECBA5BD40,SHA256=C44EE3AB86FA649A3B6C74DEC05217867434C5E41DA825C3021BB8AA52271ADD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.681{223CB5FF-7B57-6442-3603-00000000DD02}70286992C:\Windows\system32\conhost.exe{223CB5FF-7B57-6442-3F03-00000000DD02}6956C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.681{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.681{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.681{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.681{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.681{223CB5FF-7189-6442-5701-00000000DD02}286496C:\Windows\system32\csrss.exe{223CB5FF-7B57-6442-3F03-00000000DD02}6956C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.681{223CB5FF-7B57-6442-3503-00000000DD02}70125300C:\Windows\system32\cmd.exe{223CB5FF-7B57-6442-3F03-00000000DD02}6956C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.683{223CB5FF-7B57-6442-3F03-00000000DD02}6956C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d 2C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000023750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:02:31.656{223CB5FF-7B57-6442-3E03-00000000DD02}4884C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotificationsDWORD (0x00000001) 10341000x800000000000000023749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.656{223CB5FF-7B57-6442-3603-00000000DD02}70286992C:\Windows\system32\conhost.exe{223CB5FF-7B57-6442-3E03-00000000DD02}4884C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.656{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.656{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.656{223CB5FF-7189-6442-5701-00000000DD02}28642888C:\Windows\system32\csrss.exe{223CB5FF-7B57-6442-3E03-00000000DD02}4884C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.656{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.656{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.656{223CB5FF-7B57-6442-3503-00000000DD02}70125300C:\Windows\system32\cmd.exe{223CB5FF-7B57-6442-3E03-00000000DD02}4884C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.658{223CB5FF-7B57-6442-3E03-00000000DD02}4884C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000023741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:02:31.640{223CB5FF-7B57-6442-3D03-00000000DD02}6424C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnableDWORD (0x00000001) 10341000x800000000000000023740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.581{223CB5FF-7B57-6442-3603-00000000DD02}70286992C:\Windows\system32\conhost.exe{223CB5FF-7B57-6442-3D03-00000000DD02}6424C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.581{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.581{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.581{223CB5FF-7189-6442-5701-00000000DD02}286496C:\Windows\system32\csrss.exe{223CB5FF-7B57-6442-3D03-00000000DD02}6424C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.581{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.581{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.581{223CB5FF-7B57-6442-3503-00000000DD02}70125300C:\Windows\system32\cmd.exe{223CB5FF-7B57-6442-3D03-00000000DD02}6424C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.589{223CB5FF-7B57-6442-3D03-00000000DD02}6424C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000023732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:02:31.581{223CB5FF-7B57-6442-3C03-00000000DD02}6340C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoringDWORD (0x00000001) 10341000x800000000000000023731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.574{223CB5FF-7B57-6442-3603-00000000DD02}70286992C:\Windows\system32\conhost.exe{223CB5FF-7B57-6442-3C03-00000000DD02}6340C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.540{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:31.476{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A4B4C0CF473EE57A7E26722408361D,SHA256=557D31B5D0F9644CB8CC95494140577BDD37FF56448DEB848AC94E086704FD4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.540{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.540{223CB5FF-7189-6442-5701-00000000DD02}28645488C:\Windows\system32\csrss.exe{223CB5FF-7B57-6442-3C03-00000000DD02}6340C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.540{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.540{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.540{223CB5FF-7B57-6442-3503-00000000DD02}70125300C:\Windows\system32\cmd.exe{223CB5FF-7B57-6442-3C03-00000000DD02}6340C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.547{223CB5FF-7B57-6442-3C03-00000000DD02}6340C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000023723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:02:31.540{223CB5FF-7B57-6442-3B03-00000000DD02}7124C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtectionDWORD (0x00000001) 10341000x800000000000000023722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.509{223CB5FF-7B57-6442-3603-00000000DD02}70286992C:\Windows\system32\conhost.exe{223CB5FF-7B57-6442-3B03-00000000DD02}7124C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.509{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.509{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.509{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.509{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.509{223CB5FF-7189-6442-5701-00000000DD02}28645488C:\Windows\system32\csrss.exe{223CB5FF-7B57-6442-3B03-00000000DD02}7124C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.509{223CB5FF-7B57-6442-3503-00000000DD02}70125300C:\Windows\system32\cmd.exe{223CB5FF-7B57-6442-3B03-00000000DD02}7124C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.520{223CB5FF-7B57-6442-3B03-00000000DD02}7124C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000023714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:02:31.509{223CB5FF-7B57-6442-3A03-00000000DD02}3496C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtectionDWORD (0x00000001) 10341000x800000000000000023713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.509{223CB5FF-7B57-6442-3603-00000000DD02}70286992C:\Windows\system32\conhost.exe{223CB5FF-7B57-6442-3A03-00000000DD02}3496C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.509{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.509{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.509{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.509{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.509{223CB5FF-7189-6442-5701-00000000DD02}28645488C:\Windows\system32\csrss.exe{223CB5FF-7B57-6442-3A03-00000000DD02}3496C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.509{223CB5FF-7B57-6442-3503-00000000DD02}70125300C:\Windows\system32\cmd.exe{223CB5FF-7B57-6442-3A03-00000000DD02}3496C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.511{223CB5FF-7B57-6442-3A03-00000000DD02}3496C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000023705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:02:31.497{223CB5FF-7B57-6442-3903-00000000DD02}7032C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoringDWORD (0x00000001) 10341000x800000000000000023704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.497{223CB5FF-7B57-6442-3603-00000000DD02}70286992C:\Windows\system32\conhost.exe{223CB5FF-7B57-6442-3903-00000000DD02}7032C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.497{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.497{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.497{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.497{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.497{223CB5FF-7189-6442-5701-00000000DD02}28642888C:\Windows\system32\csrss.exe{223CB5FF-7B57-6442-3903-00000000DD02}7032C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.497{223CB5FF-7B57-6442-3503-00000000DD02}70125300C:\Windows\system32\cmd.exe{223CB5FF-7B57-6442-3903-00000000DD02}7032C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.502{223CB5FF-7B57-6442-3903-00000000DD02}7032C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000023696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:02:31.481{223CB5FF-7B57-6442-3803-00000000DD02}7132C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpywareDWORD (0x00000001) 10341000x800000000000000023695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.481{223CB5FF-7B57-6442-3603-00000000DD02}70286992C:\Windows\system32\conhost.exe{223CB5FF-7B57-6442-3803-00000000DD02}7132C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.481{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.481{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.481{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.481{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.481{223CB5FF-7189-6442-5701-00000000DD02}28645488C:\Windows\system32\csrss.exe{223CB5FF-7B57-6442-3803-00000000DD02}7132C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.481{223CB5FF-7B57-6442-3503-00000000DD02}70125300C:\Windows\system32\cmd.exe{223CB5FF-7B57-6442-3803-00000000DD02}7132C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.489{223CB5FF-7B57-6442-3803-00000000DD02}7132C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 10341000x800000000000000023687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.479{223CB5FF-7B57-6442-3603-00000000DD02}70286992C:\Windows\system32\conhost.exe{223CB5FF-7B57-6442-3703-00000000DD02}6200C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.477{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.477{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.477{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.477{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.476{223CB5FF-7189-6442-5701-00000000DD02}28642888C:\Windows\system32\csrss.exe{223CB5FF-7B57-6442-3703-00000000DD02}6200C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.476{223CB5FF-7B57-6442-3503-00000000DD02}70125300C:\Windows\system32\cmd.exe{223CB5FF-7B57-6442-3703-00000000DD02}6200C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.475{223CB5FF-7B57-6442-3703-00000000DD02}6200C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 0C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 10341000x800000000000000023679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.455{223CB5FF-718D-6442-6A01-00000000DD02}35964380C:\Windows\Explorer.EXE{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0815|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.455{223CB5FF-718D-6442-6A01-00000000DD02}35964380C:\Windows\Explorer.EXE{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e072e|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.455{223CB5FF-718D-6442-6A01-00000000DD02}35964380C:\Windows\Explorer.EXE{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e06f7|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.453{223CB5FF-718C-6442-6501-00000000DD02}40162116C:\Windows\system32\taskhostw.exe{223CB5FF-7B57-6442-3603-00000000DD02}7028C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.452{223CB5FF-718C-6442-6501-00000000DD02}40162116C:\Windows\system32\taskhostw.exe{223CB5FF-7B57-6442-3603-00000000DD02}7028C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.442{223CB5FF-718D-6442-6A01-00000000DD02}35966832C:\Windows\Explorer.EXE{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0815|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.440{223CB5FF-718D-6442-6A01-00000000DD02}35966832C:\Windows\Explorer.EXE{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e072e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.440{223CB5FF-718D-6442-6A01-00000000DD02}35966832C:\Windows\Explorer.EXE{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e06f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.439{223CB5FF-718D-6442-6A01-00000000DD02}35966832C:\Windows\Explorer.EXE{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.438{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7B57-6442-3603-00000000DD02}7028C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0ea0|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.424{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7B57-6442-3603-00000000DD02}7028C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+bb490|C:\Windows\System32\SHELL32.dll+e0e5c|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.424{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7B57-6442-3603-00000000DD02}7028C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e0e30|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.424{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7B57-6442-3603-00000000DD02}7028C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12c9d9|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.409{223CB5FF-6DE2-6442-1100-00000000DD02}9681300C:\Windows\system32\svchost.exe{223CB5FF-7B57-6442-3603-00000000DD02}7028C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.409{223CB5FF-6DE2-6442-1100-00000000DD02}9681148C:\Windows\system32\svchost.exe{223CB5FF-7B57-6442-3603-00000000DD02}7028C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.409{223CB5FF-7B57-6442-3603-00000000DD02}70286992C:\Windows\system32\conhost.exe{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.396{223CB5FF-7189-6442-5701-00000000DD02}28645488C:\Windows\system32\csrss.exe{223CB5FF-7B57-6442-3603-00000000DD02}7028C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 13241300x800000000000000023662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328InvDBSetValue2023-04-21 12:02:31.381{223CB5FF-6DE2-6442-1200-00000000DD02}104C:\Windows\System32\svchost.exeHKU\S-1-5-21-2249407279-2659954650-342429190-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\simulate_dummy_reg.batBinary Data 10341000x800000000000000023661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.381{223CB5FF-6DE2-6442-1200-00000000DD02}1041008C:\Windows\System32\svchost.exe{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+452ce|C:\Windows\System32\RPCRT4.dll+27d07|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.381{223CB5FF-6DE2-6442-1200-00000000DD02}1041008C:\Windows\System32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+452ce|C:\Windows\System32\RPCRT4.dll+27d07|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.381{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.381{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.381{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.381{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.381{223CB5FF-7189-6442-5701-00000000DD02}28642496C:\Windows\system32\csrss.exe{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.381{223CB5FF-718D-6442-6A01-00000000DD02}35967004C:\Windows\Explorer.EXE{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\System32\windows.storage.dll+5ce6f|C:\Windows\System32\windows.storage.dll+5cae5|C:\Windows\System32\windows.storage.dll+5c5d6|C:\Windows\System32\windows.storage.dll+5da48|C:\Windows\System32\windows.storage.dll+5c3fe|C:\Windows\System32\windows.storage.dll+5ef9d|C:\Windows\System32\windows.storage.dll+5f6dc|C:\Windows\System32\windows.storage.dll+5ea40|C:\Windows\System32\windows.storage.dll+17261e|C:\Windows\System32\windows.storage.dll+172312|C:\Windows\System32\SHELL32.dll+4c929|C:\Windows\System32\SHELL32.dll+4b4d6|C:\Windows\System32\SHELL32.dll+6d049|C:\Windows\System32\SHELL32.dll+e480e|C:\Windows\System32\SHELL32.dll+15474c|C:\Windows\System32\SHELL32.dll+1544a3|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:31.388{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" "C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x800000000000000023763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:32.643{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E66391E2B3CFB81C79E0BA5A4459D2,SHA256=F9B3974D8DBAD0E4C346D0A265876F57D0D581FAFF39F6AFB713D0F309A7AD1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:32.543{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88CF75961BF5601431614BE0F5303577,SHA256=20BAEA70D555F12E220D7B6F94E865FF50DF1EA7A4E2B042E16DF817E4CFB16B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:32.595{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C707FDFB40521B9132ABD3E780914108,SHA256=CBFA22122F1DB534E8C5427FBD54966E27EBF9B6C836ADFB798BCE6525A68436,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:29.467{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50529-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:32.042{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C4962F474304A213F5834F4FD49C0A3,SHA256=48AC04334CCD6F69409500766FC5B5ED7C9BE440F62CAB098251115F42C451DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:32.026{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7C5396F32E2A238A0B7D96FBEEBD976,SHA256=177B02AE6008755B32267B945BAA0644E002259F6A6FE30E5C40CB523D33A715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:33.578{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61F86FD7C5497CB56D6EC898FC68131,SHA256=9CD5ABB2A6C4EA9A7E3538604CD0CE252A712E1F133FFB30B140F4DFDF2437E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:33.715{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D61C9C18E72731741D2B2CFB9A2367,SHA256=BF02CE648241B7F846A41E7E2640698471F431C30796A8ED880ED22BE9AB6452,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:29.291{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51758-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:34.634{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-055MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:34.604{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DFE7C480BE29FE549D395149A6F970C,SHA256=34AF7A3A9EEF2FF8FAE145B7F77172FC6AB6C9443562476F59553171C241E5BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:34.832{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FFD563E00E66CAABFBEBB0175F4D3C9,SHA256=5F96C9EC5BDE4733DA9618468FFB6281C163AF02696435A38CDCC3F4F3BC0E21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:35.819{223CB5FF-7B57-6442-3603-00000000DD02}70286992C:\Windows\system32\conhost.exe{223CB5FF-7B5B-6442-4103-00000000DD02}6152C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:35.819{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:35.819{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:35.819{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:35.819{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:35.819{223CB5FF-7189-6442-5701-00000000DD02}28642888C:\Windows\system32\csrss.exe{223CB5FF-7B5B-6442-4103-00000000DD02}6152C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:35.819{223CB5FF-7B57-6442-3503-00000000DD02}70125300C:\Windows\system32\cmd.exe{223CB5FF-7B5B-6442-4103-00000000DD02}6152C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:35.832{223CB5FF-7B5B-6442-4103-00000000DD02}6152C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000023778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:02:35.819{223CB5FF-7B5B-6442-4003-00000000DD02}4552C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\AutoInstallMinorUpdatesDWORD (0x00000000) 10341000x800000000000000023777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:35.819{223CB5FF-7B57-6442-3603-00000000DD02}70286992C:\Windows\system32\conhost.exe{223CB5FF-7B5B-6442-4003-00000000DD02}4552C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:35.819{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:35.819{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:35.819{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:35.819{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:35.819{223CB5FF-7189-6442-5701-00000000DD02}286496C:\Windows\system32\csrss.exe{223CB5FF-7B5B-6442-4003-00000000DD02}4552C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:35.819{223CB5FF-7B57-6442-3503-00000000DD02}70125300C:\Windows\system32\cmd.exe{223CB5FF-7B5B-6442-4003-00000000DD02}4552C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:35.823{223CB5FF-7B5B-6442-4003-00000000DD02}4552C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AutoInstallMinorUpdates" /t REG_DWORD /d 0C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000023769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:02:35.807{223CB5FF-7B57-6442-3F03-00000000DD02}6956C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptionsDWORD (0x00000002) 23542300x800000000000000023768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:35.637{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51391B0F1367AD3DE46FF7C2552F4498,SHA256=3B2702B71E03788BC951BCB140C084E80634247305D4B4A3323C51E4FBFD1145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:35.636{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-056MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:35.850{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E12F3A8F8365F18D7C57139BD48628,SHA256=D69A0997737E2D20E86424F3F0AA6D1EB5BADCE6260729BD3821CE3CCFA4397A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:36.652{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF689E475D8A04CF260A6CC139A0B7C1,SHA256=ABC78468016A596F7E1C48A166CFC10BE510AE97C56E9AD87CD810C64EF5B628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:36.874{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8966F968994FAB0556A9C63971F076B4,SHA256=27060C9C0F3605632D46F21A53F21CC0EE7C3F82717BB5B36D749BC0E3050F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:37.907{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=879C913A9167A1A9FBEC032C4CCF39DD,SHA256=461820E41FB5F7D74C2A6B14796CC7A9110BE331DFA171207F2C560AA7E2CA9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.794{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E425E4D3C10C13849487AFAF8CFA351,SHA256=60478C141B315F58473BF084A7F87CCF7D8851D29B353011A0367085DBB913BF,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000023842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:02:37.788{223CB5FF-7B5D-6442-4703-00000000DD02}1844C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\UpdateServiceUrlAlternateserver.wsus 10341000x800000000000000023841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.754{223CB5FF-7B57-6442-3603-00000000DD02}70286992C:\Windows\system32\conhost.exe{223CB5FF-7B5D-6442-4703-00000000DD02}1844C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.754{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.754{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.754{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.754{223CB5FF-7189-6442-5701-00000000DD02}28645488C:\Windows\system32\csrss.exe{223CB5FF-7B5D-6442-4703-00000000DD02}1844C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.754{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.754{223CB5FF-7B57-6442-3503-00000000DD02}70125300C:\Windows\system32\cmd.exe{223CB5FF-7B5D-6442-4703-00000000DD02}1844C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.763{223CB5FF-7B5D-6442-4703-00000000DD02}1844C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "UpdateServiceUrlAlternate" /t REG_SZ /d "server.wsus"C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000023833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:02:37.754{223CB5FF-7B5D-6442-4603-00000000DD02}7072C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServerserver.wsus 10341000x800000000000000023832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.739{223CB5FF-7B57-6442-3603-00000000DD02}70286992C:\Windows\system32\conhost.exe{223CB5FF-7B5D-6442-4603-00000000DD02}7072C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.739{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.739{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.739{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.739{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.739{223CB5FF-7189-6442-5701-00000000DD02}28642888C:\Windows\system32\csrss.exe{223CB5FF-7B5D-6442-4603-00000000DD02}7072C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.739{223CB5FF-7B57-6442-3503-00000000DD02}70125300C:\Windows\system32\cmd.exe{223CB5FF-7B5D-6442-4603-00000000DD02}7072C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.739{223CB5FF-7B5D-6442-4603-00000000DD02}7072C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "WUServer" /t REG_SZ /d "server.wsus"C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000023824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:02:37.723{00000000-0000-0000-0000-000000000000}6264C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServerserver.wsus 10341000x800000000000000023823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.723{223CB5FF-7B57-6442-3603-00000000DD02}70286992C:\Windows\system32\conhost.exe{223CB5FF-7B5D-6442-4503-00000000DD02}6264C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.723{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.723{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.723{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.723{223CB5FF-7189-6442-5701-00000000DD02}28645488C:\Windows\system32\csrss.exe{223CB5FF-7B5D-6442-4503-00000000DD02}6264C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.723{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.723{223CB5FF-7B57-6442-3503-00000000DD02}70125300C:\Windows\system32\cmd.exe{223CB5FF-7B5D-6442-4503-00000000DD02}6264C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.726{223CB5FF-7B5D-6442-4503-00000000DD02}6264C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "WUStatusServer" /t REG_SZ /d "server.wsus"C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000023815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:02:37.711{223CB5FF-7B5D-6442-4403-00000000DD02}6216C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocationsDWORD (0x00000001) 10341000x800000000000000023814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.695{223CB5FF-7B57-6442-3603-00000000DD02}70286992C:\Windows\system32\conhost.exe{223CB5FF-7B5D-6442-4403-00000000DD02}6216C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.695{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.695{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.695{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.695{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.695{223CB5FF-7189-6442-5701-00000000DD02}28645488C:\Windows\system32\csrss.exe{223CB5FF-7B5D-6442-4403-00000000DD02}6216C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.695{223CB5FF-7B57-6442-3503-00000000DD02}70125300C:\Windows\system32\cmd.exe{223CB5FF-7B5D-6442-4403-00000000DD02}6216C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.705{223CB5FF-7B5D-6442-4403-00000000DD02}6216C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000023806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:02:37.695{223CB5FF-7B5D-6442-4303-00000000DD02}5552C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServerDWORD (0x00000001) 10341000x800000000000000023805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.695{223CB5FF-7B57-6442-3603-00000000DD02}70286992C:\Windows\system32\conhost.exe{223CB5FF-7B5D-6442-4303-00000000DD02}5552C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.694{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.694{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.694{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.693{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.693{223CB5FF-7189-6442-5701-00000000DD02}28642496C:\Windows\system32\csrss.exe{223CB5FF-7B5D-6442-4303-00000000DD02}5552C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.693{223CB5FF-7B57-6442-3503-00000000DD02}70125300C:\Windows\system32\cmd.exe{223CB5FF-7B5D-6442-4303-00000000DD02}5552C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.693{223CB5FF-7B5D-6442-4303-00000000DD02}5552C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "UseWUServer" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000023797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:02:37.670{223CB5FF-7B5D-6442-4203-00000000DD02}6692C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoRebootWithLoggedOnUsersDWORD (0x00000001) 10341000x800000000000000023796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.670{223CB5FF-7B57-6442-3603-00000000DD02}70286992C:\Windows\system32\conhost.exe{223CB5FF-7B5D-6442-4203-00000000DD02}6692C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.670{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.670{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.670{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.670{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.670{223CB5FF-7189-6442-5701-00000000DD02}28642496C:\Windows\system32\csrss.exe{223CB5FF-7B5D-6442-4203-00000000DD02}6692C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.670{223CB5FF-7B57-6442-3503-00000000DD02}70125300C:\Windows\system32\cmd.exe{223CB5FF-7B5D-6442-4203-00000000DD02}6692C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:37.678{223CB5FF-7B5D-6442-4203-00000000DD02}6692C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7B57-6442-3503-00000000DD02}7012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000023788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:02:37.670{223CB5FF-7B5B-6442-4103-00000000DD02}6152C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdateDWORD (0x00000001) 23542300x800000000000000028796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:38.941{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=654439375126BD4670386A03DAED272F,SHA256=97F39F4801FA02C0102A3B20CF8A249740EDC79442B2E4AC511F8B5F2D88F759,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:38.891{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591C7D9800DC472F31D6F594D961A335,SHA256=6C4B721CC8A3AE2313B57A01A107C9BFE8B4853A1A32415428E941FC44C32C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:38.741{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6163AAAF55CB2847C7C3AB62A475F9B,SHA256=C7FAC4B2D3EEFE43D9821B9D9719661FC6455BC4D487A259E6342BDFFDBB80D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:35.309{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50530-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:39.959{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3BFEB48FE5584B70F4F4A86083B9848,SHA256=0A0E7530D1E6807794AF27F5BC03B57E62AA3B7BB74D54FFD3F39F1874FCB38F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:39.759{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4472C088E1B1144637BF2E4524C6E9A1,SHA256=AE502E48D48A90C0FABC5CC01046A8FFF03D6F207D593A4B13CC1F43C314AFC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:35.207{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51759-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:40.878{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5D6118C6AF93B06D474AA12BF93E70,SHA256=F42015711AEB2A5FC9F0356EFE9C5F1D68B3B9BA29751CCAB5F90F864023B6C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:40.397{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:41.998{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD37BAFC18E3FA51BF1606FD1EC6801D,SHA256=9DB14B99913931FD9613DC578B1E09D7FEB3DA13302DB5B3452ECAEEF30D6B50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:41.484{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D6F1057A553D1CA06470D231A84B2A,SHA256=DD0BC1968C2EAA4FBE7D643213BE70D6CE3C6FB25BC5CC39C0779D5E7B09E347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:42.535{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C1DCA0C7635FF689BAD70D0B3E6AC28,SHA256=9D22CDD34BA610D6A7E0641BFC0DC30A7B1A619F0C6DE3580FB6CC2F3A5E6BB5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:40.521{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50531-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:43.082{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A082F2988CBC2D6BFBBF6380076AC65D,SHA256=128648E9A42F11D921815EAAFFA3EC9FE5DEF8E5A431AE26E89A2AADB2170C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:43.567{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F865A585179A0B2C0E81385435ED68,SHA256=A57BE0F4A9C77A2F9EE1EA678265D79ED1446DA3E44E3604AEE60813850EBE5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:44.103{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653CDDFF7D6A78C7015F94FFB26948E6,SHA256=64919A59CCC32708A68824BBB02B88A682AEE1106E29332A385F5F958DB82600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:44.591{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40BF1A83CA28133828818D54F9C2BED,SHA256=744712F5F8B90CDAE775A43F7037BD6037436ABCF9E956DE0A261B75E8E2E9CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:45.642{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5EC5941C7A513C0161AA272159CF52A,SHA256=3F30A9FA7C599ABD7D276802A73F951902853A77232FE820A00B5072F69E5896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:45.129{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B28EFFBBD254AB2707DF13976BF0113,SHA256=93778B02531BB52ACED89240A7E95B4B0A75173AC892588110EB9B9747364CB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:41.108{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51760-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:46.659{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=115E7D878445CA8DDC4002D22AD7F270,SHA256=D34D39CBDCA514DF68B053472C1334A902371F6ADF171EFFEF488D1FA21EA57A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:46.718{223CB5FF-718D-6442-6A01-00000000DD02}35963148C:\Windows\Explorer.EXE{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+d30b0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801B85081E8)|UNKNOWN(FFFF864080E77DA8)|UNKNOWN(FFFF864080E77F27)|UNKNOWN(FFFF864080E725B1)|UNKNOWN(FFFF864080E73F7A)|UNKNOWN(FFFF864080E72236)|UNKNOWN(FFFFF801B8176D03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d690b|C:\Windows\System32\SHELL32.dll+11d7ba|C:\Windows\System32\SHCORE.dll+33fbd 10341000x800000000000000023856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:46.718{223CB5FF-718D-6442-6A01-00000000DD02}35963148C:\Windows\Explorer.EXE{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+d2b91|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801B85081E8)|UNKNOWN(FFFF864080E77DA8)|UNKNOWN(FFFF864080E77F27)|UNKNOWN(FFFF864080E725B1)|UNKNOWN(FFFF864080E73F7A)|UNKNOWN(FFFF864080E72236)|UNKNOWN(FFFFF801B8176D03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d690b|C:\Windows\System32\SHELL32.dll+11d7ba|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:46.718{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF34ddff.TMPMD5=1F4BD192F37F455E666A6F524978A45F,SHA256=3DEDCE8C8A9850C8DCE400D84B20A73ED72ADA56B93AD8EDCC0D71F32CCC9E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:46.160{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69999CCDDF093230525D0F78FDD6AD9D,SHA256=F91E70A5C6CD038070A0BEE2A0468AA734FEEECD1C48BD9297C9EE9D028AB8B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:47.698{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4BADD859AAA7F5A22BCF22C212621C,SHA256=7E2C8A87C659C45FC029D57E0BA95010FE3B6F1ADFF7377779DFF5F2018106B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:47.695{223CB5FF-6DE2-6442-0D00-00000000DD02}7927048C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1A00-00000000DD02}1928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:47.695{223CB5FF-6DE2-6442-0D00-00000000DD02}7927048C:\Windows\system32\svchost.exe{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:47.695{223CB5FF-6DE2-6442-0D00-00000000DD02}7927048C:\Windows\system32\svchost.exe{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:47.278{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE552B529E757419CC6ED5661101A06,SHA256=9923DBD3E7D358A55DB1C11D124949FC39D0FB3F4D2545672C2C00EF9B6C5D47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:48.817{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C26B1351789162280F827B5D742DBCA3,SHA256=91A88CB6582721924453077A22E5D07721ED09D5323A1E717A507F953E7602EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:48.296{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED4509EB2B9105007056952E3A9F66C,SHA256=F5875201F15B5800291FF9E8CE46E67EA9A76640297400738B6028BF42FB7105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:48.047{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4D41FAEAA2109A51F30AD2E2B2CDBAB1,SHA256=90921CCFCA994091882C7B4DAAF9D1A2738890C80F1700E3439A7F44ED5EDE87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:49.935{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B5B2E80DB807FEC40B24B549B63609,SHA256=2EA837242935D002C39DB38B2A9B82B0724BBC61E9AE5319B1A5B80107531EEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:46.508{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50532-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:49.339{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B009BC36805BD557C432567F4BC137,SHA256=666D1A0B24F577862A99EB582051228ECA0BE5CD6269B3B06E501F4726BFD4A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:50.955{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECA8C989D63DF57CE19B2407F06455F,SHA256=6907F5E1B68D27181907AFC8F27DA7B6F3572146297779B5E8FFEE8EBAC195E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:50.370{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=768CC771CF6DD5554FF373FAE058BD9B,SHA256=BD374F6518C0369B85B143CD6AD2AE368448B4E96123CF6C054C22FAE2D5800B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:46.201{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51761-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:51.503{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD0A2CFD6587D583237FDAC1DD84CA7,SHA256=18D6EB29CB7437EEC84F22E2731225E7D5F4E23571A2E1727B7397AC89F38828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:52.547{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D95457091E0995C3E44337FE24227BD0,SHA256=617AA00DD9184E5B965BFFF862D8C31F0DD95D26C85C7D2A44B9E400F207A5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:52.072{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEEA5A92B8923A14664FD4D465E17AE5,SHA256=62CCDF35ED98E0B0957B6A9E5BAAEED409BA58A9BD72DE2F4B6275ADA94A67C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:53.677{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=202527CF6631082F2CF777D3F3D84AAE,SHA256=471AF2A300ACA8EAEDE50DC4B1178AA4E1DE17AD975A4B680CC3A68820E37695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:53.096{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D289E32F32E9D7A2D45683A52E65E60,SHA256=02CBD7689DF6438332F4A378379BBAB2F1DEE38F2C97F267D8F37E912143D1D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:54.711{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE317E5D7C62A10E5928099FE8A3323,SHA256=3DE04DFEEE3A3DBA37CC794B0B4C179284F4B448BC5BD8D72FE3543429E071FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:54.214{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC3B3C8F7A8531EF3E2512F7272C2FE9,SHA256=7DAEE46FCC50042EDA6DEE64385B04B969808F2C7BC4E68B69E80DE650CEC40D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:55.731{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E684766465654D75AB18CC9D2FF869,SHA256=AB9C122E9AEF2E7BE4374BD3FAD7D0BD20D7FC5F6039D112D231013F3D1D8562,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:52.246{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51762-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:55.232{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5BE972874F92C04E4BEB3E6518D735,SHA256=8CDD160D01F6AA4DDCE8AF7942A317F9572D507B8BDF102DFD1C2456AF5DF8EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:52.522{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50533-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:56.785{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF18C242C7A8FAE29BAB7168A66D9004,SHA256=80990633745C05792DFDF8C2FB3A539E60CE463D09F5ABB1FB098C65D4F13A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:56.368{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D6BE35EA6E95779745D8212ADC0021,SHA256=180111FE9A6522D4DD16602AB1DDC2070BCE6210875EF8C1AD15BC82FC799E53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:56.399{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7B70-6442-4803-00000000DD02}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:56.399{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:56.399{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:56.399{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:56.399{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:56.399{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7B70-6442-4803-00000000DD02}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:56.399{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7B70-6442-4803-00000000DD02}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:56.400{223CB5FF-7B70-6442-4803-00000000DD02}6560C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:57.979{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7B71-6442-4A03-00000000DD02}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:57.979{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:57.979{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:57.979{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7B71-6442-4A03-00000000DD02}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:57.979{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:57.979{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:57.979{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7B71-6442-4A03-00000000DD02}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:57.980{223CB5FF-7B71-6442-4A03-00000000DD02}6228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:57.922{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB69986DB0778F92C365413ADF9048DB,SHA256=96A9A8CBC264244AACB5451C05588C3B2979286DD19734F9EF680CC94FAA8F0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:57.384{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6785A156C92D984FB05BD3703581BC1D,SHA256=2333ADE6925956EAB35E8D8153A03DD436676DFBE6AD90E50491F51C6CF582C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:57.470{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2AEAB7D352DA4FA9E27976D9F105C6A,SHA256=ACFA1F042A10E0575728A69172AD37191EF4765F3E1B308E75A807D79E86A7BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:57.442{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2FFF735BB0879AD860E1A621A0559931,SHA256=969D458E34CD42A977BFD95D69381E5DF6DF8CF68426699FB143CA7D1606F960,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:57.301{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7B71-6442-4903-00000000DD02}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:57.301{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:57.301{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:57.301{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:57.301{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:57.301{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7B71-6442-4903-00000000DD02}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:57.301{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7B71-6442-4903-00000000DD02}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:57.302{223CB5FF-7B71-6442-4903-00000000DD02}5292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:58.402{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6C9EC74DF213A9D5D0CE14141135DD1,SHA256=02A91305C826E5272D5F2CA78CF8991F3640B1CF99D62BD687944ED7A0F71B4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:58.809{223CB5FF-7B72-6442-4B03-00000000DD02}71206988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:58.659{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7B72-6442-4B03-00000000DD02}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:58.657{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:58.657{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:58.657{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:58.656{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:58.656{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7B72-6442-4B03-00000000DD02}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:58.656{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7B72-6442-4B03-00000000DD02}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:58.656{223CB5FF-7B72-6442-4B03-00000000DD02}7120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000023900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:58.207{223CB5FF-7B71-6442-4A03-00000000DD02}62286240C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:59.705{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C2FFDC213EA826C463A8F3353D7B3B7,SHA256=016E1FB281945314CFA88EC64831E68BC28FFD1540E72C2FB07740B66C473E7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:59.527{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C27A9CE056D1129F3CB7BDA3054EFDC3,SHA256=3D27AABEBFEABBF42A6E88B0155D61B070B505D5647348F1EE8F92BE5F492048,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:59.366{223CB5FF-7B73-6442-4C03-00000000DD02}40564348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:59.182{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7B73-6442-4C03-00000000DD02}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:59.182{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:59.182{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:59.182{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:59.182{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:59.182{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7B73-6442-4C03-00000000DD02}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:59.182{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7B73-6442-4C03-00000000DD02}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:59.184{223CB5FF-7B73-6442-4C03-00000000DD02}4056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:59.040{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE4DA31193254EA18E21EE683C3C2E4,SHA256=6683E7FD1602F7EFDCD06EC4C04B1F85562CA8F40B91503837CEDE1841010D39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:00.545{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D4C0E90B92FB055CAE7B30321F6D18,SHA256=00A26970A1693723C44FDD5006D531E511B6F8F795A1BCAEC650652410EFF547,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:00.972{223CB5FF-7B74-6442-4D03-00000000DD02}50485436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:00.744{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7B74-6442-4D03-00000000DD02}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:00.744{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:00.744{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:00.744{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:00.744{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:00.744{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7B74-6442-4D03-00000000DD02}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:00.744{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7B74-6442-4D03-00000000DD02}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:00.745{223CB5FF-7B74-6442-4D03-00000000DD02}5048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000023921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:02:58.414{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50534-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:00.111{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5AC217D2195327B9FF231E8B4EC9C79,SHA256=F4AD4DCCD6B74A932C38976F745F2D1CBF8C6017B94005D56C582750C2DB2954,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:56.641{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51763-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000028853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:56.641{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51763-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000028856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:01.563{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8BA24D412CF610018E068D65DBECAAC,SHA256=AA2B9E4C8CAD69CF2C575CA120D037880D9B89C2096FC626B6753B32E862BD03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000023939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:01.409{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7B75-6442-4E03-00000000DD02}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:01.409{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:01.409{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:01.409{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:01.409{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:01.409{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7B75-6442-4E03-00000000DD02}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:01.409{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7B75-6442-4E03-00000000DD02}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:01.410{223CB5FF-7B75-6442-4E03-00000000DD02}5984C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:01.155{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCDDFF6CE19EB99763844ED3C2C5A515,SHA256=42C5F46BD7B011975A7863C430259A1B0068C24ECC0FACE3B701527007B60846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:02.277{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0D0C4654B72E40F667D0E1D01D9779,SHA256=4EEA23D927EE7CE6263AC3EF9C6254088408B05F08AAEA5079CC3E61CC05E208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:02.583{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D74627CE8C2B8D27589B0103E8532978,SHA256=67257E606341240C9AC33A361782E89BCA66554B63C7E8B2CCA150BD4A58625A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:02:58.098{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51764-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:03.402{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FF5E36B88F2EBA05A618AEBB492E047,SHA256=EE62FD39FD2402334AB3A13ADDC074F5C3A36CB14078C4BFD5F987A2BA471FA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:03.600{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C8DC6D0305EFCA488539F5C69C7617F,SHA256=7926BABACECE64871C10C8B9D1D64B136B0B52E2B116517F123D8F5D94BDCAAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:04.532{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D652FE715AC7CA157240719DB9944C8,SHA256=40612001378440A10497E16BABEF58D07BB5CBB1F99BEC49821CBC0878A01475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:04.640{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4F668117ED090AF4C9D850FE2843AE,SHA256=F921DE2C631FDAE65EEFBC5A34D2D0650C4AF7E8B66568D6AE1D8BD05B280DBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:03.454{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50535-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:05.583{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5A9FD96A744FE1B7797E3218A0870D7,SHA256=4CD40240482B9A685FD81EFAF8BEA317128EE659BC643F61DAA47D78CCCB4946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:05.673{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDA5062C0BB5716C6C2D0BD3DEA45682,SHA256=1F0B8328052AC8D166C4A3790B9AFCDC790BF4D66052D6221D4978FDC97AE51E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:06.609{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE826958383763C46E7907BCA4DC5594,SHA256=8823DEC244E1BB26B90990D5F459D5083DEFF705BCBF6D3213970603D1B73B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:06.707{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480C1BE240A33D1F0A9E32399B2C4357,SHA256=7F0E7EBF9850B505F3106ABBB89AAFB54A1AAEFDA707298194AEEFBC5859A037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:07.996{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EF15C3CDAEAA7B28DBD6BB1DC46B04AC,SHA256=8F11C1029D04008B97A843AF8F2EBFBC053F64DF7AAD8BFC08DCD11CCE67EC11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:07.655{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71418A00EF5C20307322FF913D8C2757,SHA256=332B73F9FDEB35511CC0604D42012906C67F54BA262D28F28CDFA196E46781AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:07.746{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=350B1EB099566F1A3716ADF830CACA1C,SHA256=466CAD40615C59D7FBBF05CF3D5F82F625DFC0B77D6333E4AD622D6BC38ED4BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:03.188{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51765-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:08.773{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A0FD4CB91FB3DDF57034C43CBC650C9,SHA256=7B66498575C5A6F3EB15EA0052A7E62D7E7AC0AF15609F34CE75CDB8D0B3255E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:08.763{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932BBA4B31AD04B0136F21A1153A049E,SHA256=E15AE426506FE1460DC44CCD7402DB92D7BF869B38F020C7904F8B8D6CBE2EC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:09.816{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF21FB9CE2AD6309A1E994E73847033,SHA256=F88D0931425D8D67ACB3CCBAB038033539ED58D0131CD167D8ABE78DA81C2723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:09.781{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=643E871516C1ACFF2BAD62826D7B58B4,SHA256=C21807452FD0259630D3CEE41CAE0A95291B0BBC959322C254FDF46F61F0FB06,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000023958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:03:09.115{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000023957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:03:09.115{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00353585) 13241300x800000000000000023956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:03:09.115{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d97440-0xdb18acae) 13241300x800000000000000023955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:03:09.115{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d97449-0x3cdd14ae) 13241300x800000000000000023954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:03:09.115{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d97451-0x9ea17cae) 13241300x800000000000000023953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:03:09.115{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000023952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:03:09.115{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00353585) 13241300x800000000000000023951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:03:09.115{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d97440-0xdb18acae) 13241300x800000000000000023950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:03:09.115{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d97449-0x3cdd14ae) 13241300x800000000000000023949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:03:09.115{223CB5FF-6DE1-6442-0B00-00000000DD02}644C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d97451-0x9ea17cae) 23542300x800000000000000023960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:10.861{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D776A6D8DF29173F266740F63A60D58,SHA256=D0839B1096FFBBC0A922A65798440931C9A30E5F1E2BA0FD83F98E07F11E0121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:10.798{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2F488275F9E9A287BA9D7DFC586B5C,SHA256=FA2DA1B4A4BE81A331F64671A13C748904ACAAF0A336BD35C2DFF4A573DA75D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:08.463{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50536-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:11.879{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55245C8C81FCF16B9606BA60F319E579,SHA256=C81442764EE175E102D0BC501AA245BADB9291E02376EEFC51E44CEDF90ADE27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:11.817{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1472C09600E87D5CE2EA625E8E22D61A,SHA256=834633C79757437B2513CBB9F9921FBBE28AF28F75D92504DA50542A62B7BDEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:08.198{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51766-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:12.834{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7866008831DB74803BD3CED04B12C1FD,SHA256=000B89AA3A122A5B97C40A6C857AD1970D8E374F6395662E644D82AD44D4348B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:12.823{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=4AC1995A005A34089E7C1C5DD2556DF6,SHA256=2FAF6EAC0B350FAF75237168B538AB51C575B60EFD44C2AD06BE6EB5C0BF481C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:12.823{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=EEDC9FF5E7F2D31913516146FAE86984,SHA256=C6F32341DCDE294EC4991D149566D83CE3797A32BA440A8045E1A87E17F1B7DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:12.823{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=7657411E92B17ADBBD955B4BCD36DE67,SHA256=7703B0A9147988CAC10DB625BE725FBA67D72DFB0B2FF0532C6BC0AD67F6166F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:13.958{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3B0DDA9FBEB2A2CFD1F2876308ADC4,SHA256=6CB977FC0784D66F717B969167E1D7412800E3060A7820945966CD742CD2FB56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:13.001{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3291C825459DBF4E42F9E032146FA9A,SHA256=A70ABCD45B48C9AFB5C2D451B3E3892158AD3AC7158768E01F8F952383546582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:14.992{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1F390A46A5A52ED8C92C276F261F10,SHA256=D21118AC4E62B95674A33CACE7DBB3ED96C73CFEC7659D83B6533805AE8714C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:14.053{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06629F30F2BA47417144E08C1BE210A,SHA256=BAC7161C555255093C989E23A6C74652AE4E703AABA3FBAD2957D6ECC05DFC01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:14.939{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B82-6442-8906-00000000DC02}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:14.939{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:14.939{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:14.939{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:14.939{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:14.939{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7B82-6442-8906-00000000DC02}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:14.939{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B82-6442-8906-00000000DC02}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:14.940{AF4EC832-7B82-6442-8906-00000000DC02}892C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000023968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:15.071{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACF09869A93F443D0B07EDF05DD42351,SHA256=0FBA6631B922E7866E1C9CAF79275ADB06F6C5F5C7509FA538319A4FB289DF9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:14.502{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50537-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000023969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:16.106{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=594A528D90B853591D86725EF51C2935,SHA256=BEF86FCE10C8598886727BD2C6E7232F5CD78408A658F1582374C2D93A511292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:16.109{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1F32630EDF9ECFF055172E7B488A6E,SHA256=9E5E444292817A0809F46564213FE34BA91FA927815F46FA1903071058864192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:16.041{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE76F87FDA334428159B45B1CD9FB063,SHA256=6A44984F6F705FE0C6C69D5B6EAA22DB1BA131CAC5387DC2E800780D90A7F822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:17.160{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B64222EFC58E9DD5997FF99DE1A8E05A,SHA256=E7E314BCA6505C951F072ECDE915CA01B6B23F89F6C4619AAE08EE051FE518A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:17.850{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B85-6442-8B06-00000000DC02}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:17.850{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:17.850{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:17.850{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:17.850{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:17.850{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7B85-6442-8B06-00000000DC02}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:17.850{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B85-6442-8B06-00000000DC02}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:17.851{AF4EC832-7B85-6442-8B06-00000000DC02}408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000028894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:14.146{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51767-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000028893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:17.365{AF4EC832-7B85-6442-8A06-00000000DC02}57324796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000028892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:17.264{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=643696914770FB795FD6D288C20304E0,SHA256=42AD46060379F45161806B2234C6758160B1648EE90B9E8F417269E961C93D3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:17.180{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B85-6442-8A06-00000000DC02}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:17.180{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:17.180{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:17.180{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:17.180{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:17.180{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7B85-6442-8A06-00000000DC02}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:17.180{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B85-6442-8A06-00000000DC02}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:17.181{AF4EC832-7B85-6442-8A06-00000000DC02}5732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:17.143{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C950D1FBA4AE5E6057900E55CFA2AB8,SHA256=35359D6AC513B6C8424A19664AD95D86AFB77F5B3227B8E7E7E324C5B7C5A95A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:18.194{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E034B15AD8D773C859E1E9DAFDB6FD9,SHA256=53F5851E7072638F8435816C7B301D4E12A8473812FE39816038C10885F5BAB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:18.699{AF4EC832-7B86-6442-8C06-00000000DC02}49923836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:18.531{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B86-6442-8C06-00000000DC02}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:18.531{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:18.531{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:18.531{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:18.531{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:18.531{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7B86-6442-8C06-00000000DC02}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:18.531{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B86-6442-8C06-00000000DC02}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:18.530{AF4EC832-7B86-6442-8C06-00000000DC02}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:18.166{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA74C68972A3BB0D0BE5A26779E50F5,SHA256=5C21E0F61F0770F05B1AECF971C83172CDA873755B9EC1A234E68D851E483278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:19.566{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:19.237{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9BE13BDBD2A99E1271427EA68E3A504,SHA256=339C6F175B0C6FAC0DA65296116D4960286B301A7FE3D1DF399F37269109F5AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:19.954{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B87-6442-8E06-00000000DC02}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:19.949{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:19.949{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:19.949{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:19.949{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:19.949{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7B87-6442-8E06-00000000DC02}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:19.949{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B87-6442-8E06-00000000DC02}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:19.950{AF4EC832-7B87-6442-8E06-00000000DC02}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:19.284{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B87-6442-8D06-00000000DC02}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:19.284{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:19.284{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:19.284{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:19.284{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:19.284{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7B87-6442-8D06-00000000DC02}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:19.284{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B87-6442-8D06-00000000DC02}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:19.285{AF4EC832-7B87-6442-8D06-00000000DC02}5748C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:19.200{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7369A3A01629650D62D47A71A0E98974,SHA256=AC05E389CA764D4ED142C586D25962AA22C0044D06995C779082ABBCBDBDA880,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:18.840{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50538-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000023975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:20.268{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0938F67AC9E9F0704F4DBF2E65B597C,SHA256=3E04AEBDAF501BBF450507F6AA1323C2B534513703DFDB547B33565B70360AB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:20.819{AF4EC832-7B88-6442-8F06-00000000DC02}57244160C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:20.635{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7B88-6442-8F06-00000000DC02}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:20.635{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:20.635{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:20.635{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7B88-6442-8F06-00000000DC02}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000028935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:20.635{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:20.635{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000028933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:20.635{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7B88-6442-8F06-00000000DC02}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000028932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:20.635{AF4EC832-7B88-6442-8F06-00000000DC02}5724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:20.329{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B277903F89EB723296B68B556075110,SHA256=846C18A778C38DD20367F7BB1067562DC01C8F0FCA2859E30B33DD1A29179E06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:20.134{AF4EC832-7B87-6442-8E06-00000000DC02}632532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000023977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:21.286{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=270D81D85DBC683CA66522CACD224A0A,SHA256=C1F4026E17C434166BFE281E90F7819F3DDA123259E03894687C6171A8AF0969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:21.352{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E085CB8A9695557C56753D39AA3E0B,SHA256=5538398EBE78B7ED8983D8FA545935DF0C5FF916FE1BE2A0CFD3D9F545720BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:22.344{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A311A7A2F896915F7932A198FA5DA96,SHA256=FFA955A5F15962855B8C35908A54A74FD0F1E867BBDD6CD560D046E389CD048D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:22.375{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6ADD24333161830CDB11672170C46A,SHA256=4FC35FF775F9F052FB608CA94163D6035BD31DE1C918924E8B474BF0FDC21ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:23.389{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13ECFFE2F693B61E4CF6ABA3B7F38EA8,SHA256=65C49C3A49A11FC69EE01D4D22F7B1350FF40DD4A865EFE9E5E3A0A515E81C56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:20.122{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51768-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:23.493{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC9B87B55DE3D7CB1F3EB6702370501D,SHA256=338B722A8F040D3D4CE9CA8478CB83B3D0DB48D64F23FADF0F0B5E849608394B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000023979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:20.392{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50539-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 11241100x800000000000000028945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:23.356{AF4EC832-7353-6442-7A05-00000000DC02}4404C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\AlternateServices-1.txt2023-04-21 12:03:23.356 23542300x800000000000000028944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:23.356{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\AlternateServices-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000028943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:23.356{AF4EC832-7353-6442-7A05-00000000DC02}4404C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\AlternateServices-1.txt2023-04-21 12:03:23.356 23542300x800000000000000023981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:24.425{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B295D402FDDA1D8D3605541A9154E6,SHA256=E0E2CD04F1FFC0A9EF44BFB29F5F2ED07D836F2F1205B3F8E571AFD685190FEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:24.511{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C0E6182C66AFE40F23DB3FFC8CBF5D0,SHA256=B514EEDECB1820E6B97D9647B644E42F04BBEACB7B95DF05B87D6C1D3E6A61AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:25.579{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5151D90762B59466F4647B5CDC2306F5,SHA256=ED1D3633FAB47665A4378AFC3DBCCB03DEA53B46CC5CB41A67FC4BBE23440AAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:22.752{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local50926- 23542300x800000000000000028949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:25.561{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA71C7F9C8951278A19074B34EFD8C9,SHA256=3A359E9C7F7977D02F16F58BD9818BFAC01FE9A41ABB346DF6D8335E75F31CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:26.612{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0BAFC9B91857AC4D4FDDA6AB11B7CA,SHA256=4A45D309255C4BA731969AA25030B3216302F4D63110DCC1685ADD262CA63FF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:22.767{AF4EC832-7353-6442-7A05-00000000DC02}4404C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51769-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 23542300x800000000000000028951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:26.602{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9ACFD741AB95AD6694201BFBB41B79E,SHA256=9444FF23EB5777629E61B785FB16F739EBE4030459C6C78776722109B6EBBF50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:27.734{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:27.718{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A9B7A95EE4D8887BB19C49346DBDC0D,SHA256=1E6C6EB09C4F97FE2C84E9DEDDAF871ADCB471842D26A1449EC14DC28CA82367,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:27.713{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E922F1B5D1EDA3A88D52FB02DA33D624,SHA256=19A923A7140E666EE9A27245FCBC50AE8391F8E8B2B142302EF155833B825CC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000023984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:27.697{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=104986C1D649050B63191AEF7EA07552,SHA256=E2A9FB71CD622316D2CB584B0B0A6C6A6E06453D2CE471DA632992D3FF7E93F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:27.067{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-066MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.732{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=602240DCD410A306AD40F080F1204BCF,SHA256=2616101BECFF8EAAE0A1A0B0734937BD1FFF6D64F09B2E95DFE3330882E6044A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:28.768{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCFBAFBC2DAAA8EEA3D22C02F4E3CA95,SHA256=803790CEACB1F864C4A9BA8A2C2BD83E36F2630C4A9494B0968F2013D735FFFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:28.068{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-067MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.431{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\6chvkpgv.default-release\AlternateServices-1.txt2023-04-21 12:03:28.429 23542300x800000000000000024029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.430{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\6chvkpgv.default-release\AlternateServices-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000024028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.429{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\6chvkpgv.default-release\AlternateServices-1.txt2023-04-21 12:03:28.429 10341000x800000000000000024027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.298{223CB5FF-7B90-6442-5003-00000000DD02}30003320C:\Windows\system32\conhost.exe{223CB5FF-7B90-6442-5203-00000000DD02}5616C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.298{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.298{223CB5FF-7189-6442-5701-00000000DD02}286496C:\Windows\system32\csrss.exe{223CB5FF-7B90-6442-5203-00000000DD02}5616C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.298{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.298{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.298{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.298{223CB5FF-7B90-6442-4F03-00000000DD02}29443036C:\Windows\system32\cmd.exe{223CB5FF-7B90-6442-5203-00000000DD02}5616C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.296{223CB5FF-7B90-6442-5203-00000000DD02}5616C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7B90-6442-4F03-00000000DD02}2944C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 10341000x800000000000000024019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.286{223CB5FF-7B90-6442-5003-00000000DD02}30003320C:\Windows\system32\conhost.exe{223CB5FF-7B90-6442-5103-00000000DD02}6036C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.286{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.286{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.286{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.286{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.286{223CB5FF-7189-6442-5701-00000000DD02}28645488C:\Windows\system32\csrss.exe{223CB5FF-7B90-6442-5103-00000000DD02}6036C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.286{223CB5FF-7B90-6442-4F03-00000000DD02}29443036C:\Windows\system32\cmd.exe{223CB5FF-7B90-6442-5103-00000000DD02}6036C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.286{223CB5FF-7B90-6442-5103-00000000DD02}6036C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 0C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7B90-6442-4F03-00000000DD02}2944C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 10341000x800000000000000024011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.271{223CB5FF-718D-6442-6A01-00000000DD02}35966832C:\Windows\Explorer.EXE{223CB5FF-7B90-6442-4F03-00000000DD02}2944C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0815|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.271{223CB5FF-718D-6442-6A01-00000000DD02}35966832C:\Windows\Explorer.EXE{223CB5FF-7B90-6442-4F03-00000000DD02}2944C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e072e|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.271{223CB5FF-718D-6442-6A01-00000000DD02}35966832C:\Windows\Explorer.EXE{223CB5FF-7B90-6442-4F03-00000000DD02}2944C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e06f7|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.268{223CB5FF-718C-6442-6501-00000000DD02}40162116C:\Windows\system32\taskhostw.exe{223CB5FF-7B90-6442-5003-00000000DD02}3000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.266{223CB5FF-718C-6442-6501-00000000DD02}40162116C:\Windows\system32\taskhostw.exe{223CB5FF-7B90-6442-5003-00000000DD02}3000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.255{223CB5FF-718D-6442-6A01-00000000DD02}35964380C:\Windows\Explorer.EXE{223CB5FF-7B90-6442-4F03-00000000DD02}2944C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0815|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.255{223CB5FF-718D-6442-6A01-00000000DD02}35964380C:\Windows\Explorer.EXE{223CB5FF-7B90-6442-4F03-00000000DD02}2944C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e072e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.255{223CB5FF-718D-6442-6A01-00000000DD02}35964380C:\Windows\Explorer.EXE{223CB5FF-7B90-6442-4F03-00000000DD02}2944C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e06f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.255{223CB5FF-718D-6442-6A01-00000000DD02}35964380C:\Windows\Explorer.EXE{223CB5FF-7B90-6442-4F03-00000000DD02}2944C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.254{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7B90-6442-5003-00000000DD02}3000C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0ea0|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.239{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7B90-6442-5003-00000000DD02}3000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+bb490|C:\Windows\System32\SHELL32.dll+e0e5c|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.239{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7B90-6442-5003-00000000DD02}3000C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e0e30|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.239{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7B90-6442-5003-00000000DD02}3000C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12c9d9|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.239{223CB5FF-6DE2-6442-1100-00000000DD02}9681300C:\Windows\system32\svchost.exe{223CB5FF-7B90-6442-5003-00000000DD02}3000C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.239{223CB5FF-6DE2-6442-1100-00000000DD02}9681148C:\Windows\system32\svchost.exe{223CB5FF-7B90-6442-5003-00000000DD02}3000C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.238{223CB5FF-7B90-6442-5003-00000000DD02}30003320C:\Windows\system32\conhost.exe{223CB5FF-7B90-6442-4F03-00000000DD02}2944C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.230{223CB5FF-7189-6442-5701-00000000DD02}28642888C:\Windows\system32\csrss.exe{223CB5FF-7B90-6442-5003-00000000DD02}3000C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.213{223CB5FF-6DE2-6442-1200-00000000DD02}1041008C:\Windows\System32\svchost.exe{223CB5FF-7B90-6442-4F03-00000000DD02}2944C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+452ce|C:\Windows\System32\RPCRT4.dll+27d07|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.213{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.213{223CB5FF-6DE2-6442-1200-00000000DD02}1041008C:\Windows\System32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+452ce|C:\Windows\System32\RPCRT4.dll+27d07|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.213{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.213{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.213{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000023988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.213{223CB5FF-7189-6442-5701-00000000DD02}28645488C:\Windows\system32\csrss.exe{223CB5FF-7B90-6442-4F03-00000000DD02}2944C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000023987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.213{223CB5FF-718D-6442-6A01-00000000DD02}35964432C:\Windows\Explorer.EXE{223CB5FF-7B90-6442-4F03-00000000DD02}2944C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\System32\windows.storage.dll+5ce6f|C:\Windows\System32\windows.storage.dll+5cae5|C:\Windows\System32\windows.storage.dll+5c5d6|C:\Windows\System32\windows.storage.dll+5da48|C:\Windows\System32\windows.storage.dll+5c3fe|C:\Windows\System32\windows.storage.dll+5ef9d|C:\Windows\System32\windows.storage.dll+5f6dc|C:\Windows\System32\windows.storage.dll+5ea40|C:\Windows\System32\windows.storage.dll+17261e|C:\Windows\System32\windows.storage.dll+172312|C:\Windows\System32\SHELL32.dll+4c929|C:\Windows\System32\SHELL32.dll+4b4d6|C:\Windows\System32\SHELL32.dll+6d049|C:\Windows\System32\SHELL32.dll+e480e|C:\Windows\System32\SHELL32.dll+15474c|C:\Windows\System32\SHELL32.dll+1544a3|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000023986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.222{223CB5FF-7B90-6442-4F03-00000000DD02}2944C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" "C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x800000000000000024034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:29.834{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0310531422FF66C0E624A5E9572B43AD,SHA256=7FC955F224F48050374640F8532650333B67C7C7476596FD79FEB89E5EF748A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:29.891{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C795F1DA97A9896FDB0643E7A97282E0,SHA256=69D0911E3A73BFE2F85EF333FD31CDFD414BFD1CBFD9BD344B0F8C148BACF6D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:29.314{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7AAE541B5E33BA88C39ED0F1BE24073,SHA256=C77B40073D8A268BE9D6F8CA133BF469C14422AC9C9EF7F13348C849FE43DF4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:26.354{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50540-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:30.956{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB6EE7F814CB3A0997C2F1507A9AF44B,SHA256=2A40A60D0EA95920F077C005FAB8497EA8FC07B08E4B7FC77324E3FB6AD05716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:30.924{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D57C0E67724F990E3B69BD99188799C3,SHA256=C86D4DDC6639897B79AD716B8F031EA1FAB10589F6F0CBD1DA40C77E78570900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:30.371{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6A6C7FFF377DC5661054590CE7D4788D,SHA256=2644B5A388353C14124E5BB108F0BF77DD8ADB124DBD63C654B7FC8C5181C747,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:26.137{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51771-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000028959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:25.786{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51770-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000028963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:31.958{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ECDC65C72964959097176F11D63CCE1,SHA256=B0AA7772D9B4D7E3981678A1D4F32F9AFFD20D33CDD7960846F2091D708DAF9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:28.972{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exeWIN-HOST-CTUS-A\Administratortcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50541-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 23542300x800000000000000028966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:32.976{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59013809D9AB0779A72934C25F6A6FC,SHA256=D126A3BEEE7993D9F87481A6282461BE860D23BE5159BBCFD11784A79812CECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:32.058{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02147A1FD939A85659666B548B9F4E06,SHA256=273AC20BB5E35057AE63B07AC39D68953ED06C08F615D2E95F437C3494F8A0CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:28.078{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal63433- 354300x800000000000000028964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:28.076{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal50255- 23542300x800000000000000024038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:33.102{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E1BF8DBBCE4689591735A9EBABDF8A,SHA256=FABC2727C7CAE755ECB3CC8F492C106D8E73736477D812D61030CC28EB9505B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:34.688{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\6chvkpgv.default-release\cache2\doomed\14264MD5=28D827FB8D3513C8061E30DC1DC6EC04,SHA256=A59CBFF68B1F6BF2FA03B7593783113A81AA43EA7133AEC21BFD4FE0EF069BC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:31.359{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50542-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:34.119{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E499E39B6F38F09994457EF66B590DB7,SHA256=D5B0C7E0C53A5924AEEDC4399FE42850B9FB8E0E46590F25E3039729320AD4EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:33.999{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC8FCF1E38EDEB03B6540D0F6556F1C,SHA256=484768060250A6B1A583133B1CE9493B26F88B40B608E02DC6B12E60C03921BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:35.188{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=125A2418F059AE69F22AC9AABB254F84,SHA256=526699CD24CFCE8F35863D4D0D6BCE7A865A9B8818673AB6B53AEAF6C73A6BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:35.116{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB050F3E92E43F1BC1B1761DF1C555C,SHA256=B23E9962F3004704BBE62A97FF2FFF151241719B8C9746BDF50F131D90D1D2EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:36.205{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2BB078E7689A928ADFE5B183954AC36,SHA256=239890BDB711EC9306DFD235F9F2D404F32C38BC6071F9D420B80A9DF54B0BD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:36.820{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=375AB36B5A2F1ECEF99FA7C7A9A4114A,SHA256=EE8D84D0F4F2FBC768FE4175FDF289CC1249DAC05AEC4202A5EF7E31572A34C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:36.820{AF4EC832-7353-6442-7A05-00000000DC02}4404ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qy0e7jdf.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:32.129{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51772-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:36.150{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF62EA18FDB7AF5F6FBED04E2D7C716C,SHA256=E729976C4FD8B0D17A819515381F79A9B277FC07878D52711866E12F39EDFEA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:36.164{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-056MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:37.238{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A161BEE3C662260392E47B1D0DA188D5,SHA256=14416909000BC9D9DF61C5B46D347AB557AA0E9944478DD5CA4B5E387B5C4244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:37.169{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22336384A4B9E6869DB1C9CE6CEE9073,SHA256=2DF97A2FBCB6A4C9F3F681DEC3109096EBA9C46CBFF53489CCA95FACB58CE0DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:37.163{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-057MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:38.274{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29014D323A4CC4BC67E705574DE217F6,SHA256=B457A61B2BE525FAB6D1F6264672ECDB7C4C7018FFD94501FDC875BDAC03AC54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:38.223{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284EAC27FDCA64DF8DCB811332C766F4,SHA256=CBF547BBA41926D869220475D2A2EF40F46571498B09FF8A0DEC86ACD04D09DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:36.508{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50543-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:39.322{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CD76B7B1CE1D2A8D82A46B4F3A0697,SHA256=2D1026C23CE5DC9B8A130CA66DEDEC0E43650FF581E7EF79E61252D774DB509E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:39.240{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86EDF1F3530CD62922EEEEFCBBD06F41,SHA256=078437A86071D9B152B7E16136FCC5A0043228D2CA02DCF39AADB68CE58C2F32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:40.444{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F413D6253891F276094DFD8686B3E5DD,SHA256=53670FF3917AD14B27485E195DB242211D5EDA31B72359A940E03688F79D44A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:40.275{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9353506C0A993ECDC0815273AA110800,SHA256=9407BD8158DD9CF2138AD991C1EB34B3141113C21C79AAD53B3CBAFE94D62BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:41.812{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\6chvkpgv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:41.812{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\6chvkpgv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=95A57A8EFB7729742708688166872AFA,SHA256=675F20624D01861B5AC7285C52AAB27D8E89F4967CFCDD8F98A0D1E7F42C9F58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:41.545{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=625DED54C798577348B86B19283B1379,SHA256=AD5D0BE9305747C2552DEFED36CF481AEA47CEDABBDE9955C4C16CE0C789E380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:41.393{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29BCFFA888B929A802783F3844A4B39,SHA256=1D4BE82A1E0D0FB1195BB62A34117274F29C311CF4E28CCF41706155D627C2E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:37.160{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51773-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:42.597{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADCF224B1C7FEEFA530A4C353D5DEB6D,SHA256=1A69060068AECE4BA37D6B1F5E1A02C1E854FF421037BC42F00F66A6CDE09470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:42.416{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C22C0B6236EF40D84F82EDA19486ABB,SHA256=E4F42AAE189D8AE6B53572BD0E0D348A65607E3C3D6D6E3DF3970668D88838F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:43.646{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5DF3A2B6C38272770CB8B86D3405366,SHA256=952E1D1ABF7E2A2CF08006AE32DA9C6A2BC2970D7DC84255A07218FA9F0BF4A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:43.465{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F2C3C2965C3D36117BE25EF17AA769B,SHA256=F72D72905E8D919D8EAD77A204F317FAA6EDDCBEB171D09D63816CB8B55D39CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:44.772{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B401F7BE46D0FF7308ABE2E8EB1CE343,SHA256=61A9C716C583EBB5634D633368B9F8ECB883882C7AC6F0AABC73A9F626200F52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:44.499{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9037146ED06995CDB33A5F65FF567ECB,SHA256=BB39294E45DCAAF20503B5248980EBDFBA562DB78155DF53E0A74D4B9D57ABA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:45.800{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A288E3AD5C8739F1B863A5824C6B08C8,SHA256=A800F43CF4D31802FBEFEDC77293D959C851257E5C7E74A5532B9A24011F700C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:45.537{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F65CC14C2BC5768C84B4AE9D3C7C952A,SHA256=7F73BA4ED9079F4AD9A92B052B87A3A0FCC0DDEB07CFF62E581530EB693A835B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:42.502{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50544-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:46.832{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E1A2D02D000025E1C1BFF6D6D630E9,SHA256=18F822CA3E6BB8B38EB6DD39DA3B0C8AFCE26999DCC2249E055D71E9DEC93779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:46.555{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09FC6A27527A2992782FDF9144D37270,SHA256=2900901CDBBC139C27733A913609E07F156E71E5F38AC01EE01554D4C6DB7F81,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:43.152{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51774-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:47.917{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4645D03B971A611B1E1D17916B9073D0,SHA256=F1DAB188E69DAF65A992E4387E5A6F624C81B09B134EAB241628318CDE4EDD4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:47.573{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D4054446A013FB77AC243D3A24CDDB,SHA256=7F72B524E1BF164AB99B5CA5B76963102450275B6A9A7E7049EDEE48829E34C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:47.526{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=B3A59508199003820F812394B940A341,SHA256=682D7EA2217DE4E10F16D1DC05D398FB12C82FCF65B1B1005C5B2E89F5018A64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:48.951{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009026C42614F42CA061318E47817255,SHA256=7C49BAED127A212F18F9E380DBC3090A7C4F03089163EBF1EE063E1A83D3B861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:48.591{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39889C97FBD2B4C7A41B15A78725929F,SHA256=4B7A8AEF84FC59ECDEFAB6920FE68920F5179ACCE0B123EE5E4D99038360C8A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:49.730{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E99637EADB7C74F76D159D7B60A38E5,SHA256=4BA33411FBE323E5A2EC72EBD8FBACD25E6900E8ADBDF37035BF8946D94BE0B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:50.764{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7B1A29853CFBCC64164C9E9418EAF15,SHA256=3AD6E6790101FF7EF6DA896F437388146A362BFA86E2F55024A06ECBD4CF1D2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:48.506{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50545-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:50.087{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E027D1810A1B4EE6F232E315018E9644,SHA256=8006388346C76A732BBCDF244A2BE895A29EF42C1C4C578C962C4151D7C45500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:51.781{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0AE6AB740DCFEB2074F023E53393268,SHA256=E50BD3778F37B3642DF4F4BCEA9AB34EC1521BC944459EB92354FFAACD2326DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:51.188{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A349C9221C246B6B96A19BC92FA8094,SHA256=7E80602641E5D38C616EB5C8901C17D21C95CC3D86668E1B216C2AE7E264E30D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:48.182{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51775-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000028992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:52.815{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C032C77AB79ADD373FA88431121310,SHA256=8A2FB7439AE1E1EEA7C4A9DC42F991592A89938FAB599003DC7FFE3B203F8CB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:52.237{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B68A12FB8FA255D9D4C90D396DCD7022,SHA256=82B0CF6B390C9ED71B3027BD4DDE3A9C9A3B562EAAA918709F5BE5A3B99A606B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:53.838{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9CBE93E0256B3A0B5F49F07F4E4D34D,SHA256=0F2D1E857B8DF1CC3F425F4B49C5DEE17243F2EEDD9974D10C11F8704C816F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:53.306{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=361F54F55A7723DFA1AF57C36C9AA389,SHA256=1C4BCB08CA9938E27272655C3F4532DCF1A70C1F3274EF9F99563ED6ED78C77E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:54.856{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73AB353669D50B31415FD86ED3A821B7,SHA256=2BC6CA5F14926A4DA720A3EDEC77C71AF6ABDDA0D4A02D0FD535AD1B350225B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:54.438{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69DF458C0F878F7EA00ACDA71946785E,SHA256=F1551EF3BBE44E0103B31FAA9AA25CC3980738DAE2F2277575635944E13BF4D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:55.874{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081DE746113E4B5689A719A8C321BF05,SHA256=45EC1498C14F72F3C28A4905EC4E33DD1001BB9F76D89AE098231E81EFB1C549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:55.492{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=505F74DA69C47792849486EDC3CC243B,SHA256=CB2A5FC35AD180003C19A557139E02DAAB62894520DDB2DFC1BF7FED0E12E829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:56.992{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBEF707C3734B9CA350CFB6CD670B57,SHA256=EB091162DA46890DC486A6CD0D290A4D12F846D47DAE62E0F023C6E6E5F8A420,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:54.381{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50546-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:56.509{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6DE548227C3868F841A10ADA8370C51,SHA256=FE91EFB8347922B1AF4731A0D72A9C047254AE222F9FA7D4D7EE6C3CE31CD466,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:53.207{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51776-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000024076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:56.409{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7BAC-6442-5303-00000000DD02}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:56.409{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:56.409{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:56.409{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:56.409{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:56.409{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7BAC-6442-5303-00000000DD02}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:56.409{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7BAC-6442-5303-00000000DD02}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:56.409{223CB5FF-7BAC-6442-5303-00000000DD02}6788C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:57.982{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7BAD-6442-5503-00000000DD02}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:57.982{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:57.982{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:57.982{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:57.982{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:57.982{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7BAD-6442-5503-00000000DD02}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:57.982{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7BAD-6442-5503-00000000DD02}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:57.983{223CB5FF-7BAD-6442-5503-00000000DD02}2212C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:57.810{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=016C930920741E758E812E25345C1A21,SHA256=89657EB0070CF708E1B47904FAF767C6C4E145DC87BB64B926ABCEE821D5463B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:57.541{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937048A9799133F9830998D206EA41A5,SHA256=C9899124DF5E7A8BB035A63E8AC63767CC3C7604F035605193D10BA627B1C938,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:57.509{223CB5FF-7BAD-6442-5403-00000000DD02}46325872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000024087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:57.494{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F06E16F6E4E7D0C1F9F36F998360C1B9,SHA256=5463CD28DB4C38BBF2D0784F5E926889BF4DB21649B2C60787411C4FA3548C9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:57.309{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7BAD-6442-5403-00000000DD02}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:57.309{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:57.309{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:57.309{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:57.309{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:57.309{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7BAD-6442-5403-00000000DD02}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:57.309{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7BAD-6442-5403-00000000DD02}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:57.310{223CB5FF-7BAD-6442-5403-00000000DD02}4632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:58.826{223CB5FF-7BAE-6442-5603-00000000DD02}60323048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:58.641{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7BAE-6442-5603-00000000DD02}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:58.641{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:58.641{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:58.641{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7BAE-6442-5603-00000000DD02}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:58.641{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:58.641{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:58.641{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7BAE-6442-5603-00000000DD02}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:58.642{223CB5FF-7BAE-6442-5603-00000000DD02}6032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:58.565{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC9220E17CDD859071C6CD960E5D6EC,SHA256=72C5FD98FED7A81F20AE5A48FFD1044CB9A0C0DB5FBC67ED880345CEECA3E466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:58.011{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3951DAF3A271779AC3B2BBCC14E1BDFE,SHA256=AC45E8064CA6F5D42600D0215EC97EAA91FD581CE521D1D1339953BFEEC1962A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:59.667{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7C17CE3E3BD59E0E41C2072A40971DE,SHA256=5AC6BA964508E3D45353400D9EC6F05F1C1F3A2EFAFA0D668B160A57A9521A82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:59.496{223CB5FF-7BAF-6442-5703-00000000DD02}3280488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:59.311{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7BAF-6442-5703-00000000DD02}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:59.311{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:59.311{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:59.311{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7BAF-6442-5703-00000000DD02}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:59.311{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:59.311{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:59.311{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7BAF-6442-5703-00000000DD02}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:59.312{223CB5FF-7BAF-6442-5703-00000000DD02}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:59.682{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDD043A832207E0AC91EC2F3802819B1,SHA256=DEF0B340B49C07D5D87B9DEFD18487BC34533D3FE80A0369F06E1F6967A2B7CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:59.029{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82306F219C6E94CC361853FCC5262776,SHA256=9A297F9FD075EA939203283DF225715638CDCBBADA65B363573FC5391DBB5E91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:00.764{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7BB0-6442-5803-00000000DD02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:00.761{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:00.761{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:00.761{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:00.761{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:00.761{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7BB0-6442-5803-00000000DD02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:00.760{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7BB0-6442-5803-00000000DD02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:00.760{223CB5FF-7BB0-6442-5803-00000000DD02}6768C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:00.728{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6F2A3EEC01673A1B8F8654F408575A1,SHA256=47D2DB5326FA361FAEFE5B4826135FEFEFFFF98AE2A8FBDBC34BAD9505DD81AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:56.646{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51777-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000029002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:56.646{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51777-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000029001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:00.052{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3C8641CDA21FE1342C831FAF5E61FC,SHA256=0DB90C313A3930F42B0AC576A93A2F1E382A7DD1E74D1D64AF058619BF7D53DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:01.767{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE9D3BE913358BA5A97DFBCB5A7C3C3,SHA256=88CD55899D0DF1A3783AE649772A428E29A4E65B99F590EE5110AC39951E847D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:01.085{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E975D871B8BF87F9A59377ACEC2F1EB,SHA256=E55BB0A41FB6A4CABC3737A593958F6132ED2F9D1B1D474436E4E49AF38124EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:03:59.435{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50547-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000024136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:01.428{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7BB1-6442-5903-00000000DD02}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:01.428{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:01.428{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:01.428{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:01.428{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:01.428{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7BB1-6442-5903-00000000DD02}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:01.428{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7BB1-6442-5903-00000000DD02}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:01.429{223CB5FF-7BB1-6442-5903-00000000DD02}6800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:01.012{223CB5FF-7BB0-6442-5803-00000000DD02}67686796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000024139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:02.868{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B26CB64CAFE26325A9C6222F70ABB7,SHA256=5CB490D6D306F2F09DD002C7C69FDD62C6E39DD5F7E7285992D719A2EC532A31,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:03:59.151{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51778-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:02.120{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C49AF913132C22E586B00A847396AC,SHA256=8EBE1E3D302CE11F0508F632A99AA95A2DD3695C001848921020B22CB15DDE94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:03.939{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09C9A638C28DEF76340B2C69BF37F2A9,SHA256=4362ED784509AA22A475863CAD219445B103DACBF66E4DF510CEAA4E805958B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:03.159{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880B1602D19A5100209D413F1C44CBE6,SHA256=90D61FE925BB7C658C5C0CC02D382C095EE3C9D89EDAD27CAF5425CB0C19920C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:04.192{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79BEBBDE50CFA0E1D989BEB9DD454DF8,SHA256=E50427B03A8FC39EBEAFC7FEE0885BF23C543126A1F42E51C4B3C833B44E5C7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:05.027{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F304A0D6F3CF2992E2D8781E991D6726,SHA256=4BA77A9177A639130AB34D7A78C6BFD27AD7E6543F10020DCAE33F91DFA14298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:05.227{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0080B4833B584424E3D373F350D8AF,SHA256=044ECF7D6724B291BBF02CAC96114DEB4267BC1DE5F2CCEF2C89C484D3A55682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:06.074{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515E225C681BDB3985DE2ED849FED0A7,SHA256=B526BEC936D2F3983EEB663F024B32511BA6F3261DF96F987092D7869701CC28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:06.266{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C048BBE80F5BFEE9CFC4F4034603988E,SHA256=810CFC23ACDCF47261982E321F8D1A992D917CB45B1C4EC1054A93D6C8614D93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:07.175{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0440A8378A2ADD4D5EC4FCFE90956B5,SHA256=5E3F53457941E057691A4FC5A91E20040DE5BE294468548E21E585D37CB7BAAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:04.294{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51779-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:07.284{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E7715F61D61984F0FD70A85EFE29ED,SHA256=E9AB2DCFDC7E4E468C5A69F20B4AE030C11927ED6F064599149645B3525570DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:05.347{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50548-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:08.193{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D0D4CC3BD0D84025C3073CB824DDD6,SHA256=91A7FCA18A088F019EB28A85205C32494E9F05F6AA41A1B7C7F3C6D24B0B07D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:08.301{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECDA249F3746A61FD431C6DA9EAD5A29,SHA256=B528418B89A10B6034DCB520A7C3F8FD4A99DA38DB34EB3EB0665AD8961EBD81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:08.017{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7387DA38DB0F44AA702D7DC44805570A,SHA256=6A6AB3DD24A9F19873EF7869020AE94BBBBF1D77EF248940646DFE61F787B1CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:09.230{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77B9A6D416D3222780726039EFBFE398,SHA256=5F05DE1F1D0100D87726F8DEC7E7C8CABFD7ECB06A4F9A47619F0D44418F5149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:09.436{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B056DA02F780938EF8DED4DFABD93AFC,SHA256=1CAE673ED4C44854AEAE73C7BE9B00469A7914AF6E08C2610DE4AC5FC0E2414D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:10.331{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BFABE8866AACC4C2DF389692A846A7A,SHA256=A7C9EC5402E405A5C24F7ABC22A3AC66820158676A2FB3D54F0D78EB7D722101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:10.453{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D238F7F54F4FFA60B1A80D3DC92FBBF7,SHA256=21F4933BE0E0A0D94E4AD27387DFA18A1E7E52C8F8FF3B7032E8CC0489B98E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:11.396{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69F110DCE6DBEF8415539B2A8E67CF9,SHA256=3FA2415764EC3B8A7F23C3C2956C4549AAFC60C4130ADA90C7D8FC4625AB7C01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:11.477{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00483B62C30BBB819C79C8B4E0918906,SHA256=0DB4C28FD608A3BB9C15D7903BE1C4EDBE4DE8895D0E8C2F1C972C075AC595A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:12.497{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF18DC2DFF1B936A232A1683B2A7F80F,SHA256=6FE13D0980AABE32F487A8B72EF643FFA253265CF3B1ECB15FC558429BEB5C65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:12.594{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9CAD6FCF45F50DD4859423D105C7113,SHA256=D5129E535E23C867E34C25EC9DB8D7365ED1F5C8A19E46176C3FF4DC6C8D1CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:13.623{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC09601D967C421BF87DA35E3D97CE46,SHA256=5BEE89DC240CE82FFE0DE42E6BD48166500AD32CEDE1F2F448338524DAF9D4C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:10.370{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50549-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:13.627{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=068CC7771AA26752D93DADF2C6019FB4,SHA256=A3E8B89592FA23AFAE62B40F14AB5D30E9AE35BCD010251EB25B066BA9F80802,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:10.223{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51780-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:14.651{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CDD5FA7C6C98164BD0AAD611960991,SHA256=442511E1BAB8210314641A8BAF8C169E4FDDFD7330245A1A5FE04D0E424571DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:14.945{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7BBE-6442-9006-00000000DC02}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:14.945{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:14.945{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:14.945{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:14.945{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:14.945{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7BBE-6442-9006-00000000DC02}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:14.945{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7BBE-6442-9006-00000000DC02}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:14.944{AF4EC832-7BBE-6442-9006-00000000DC02}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:14.745{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38083640E739287B13FEAA310D04E0B2,SHA256=528D2E2FBD048140DE5CA59D996B828306121CC5D3A2873CFA60D40FC97BEC92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:15.784{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6073F228B705FF9B2D3A2931B575CC35,SHA256=FEDE1C6F34AD83070AAE416BF749386104A218DAEDEEEA04C65DC98FC683383B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:15.845{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CA3122B2AD6CC1D03509E1D9ACABEC1,SHA256=A45672ABC4E397F17FAF14AC3A38BBAE0374C98042376E50232453A5B4103AD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:16.885{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6372723F2589628D8470C7BFF2734B,SHA256=60CA18CA83D72BEDF33A721BF3BB55F7219AE35F5CAAF951AA327F05F8BD4C76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:16.897{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FD6950ECE1C44D5F5D7E30D1580F20,SHA256=C346A39552CA9DE49C889F13764EFBE9405591ADE703ED05242195A75837EF27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:16.112{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C15DE16AD8471B5E34B6228B46B3AF93,SHA256=97A6EFE5A24682B741EAC0435DD212BF61E77AE3F1A0B79D0CAE93F9264C830F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:17.903{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E27AE401E33E13776045DDAFFDD290,SHA256=D14CC75CCFE80C7289998D91BBED10CA96BF98DA2DC8547FB545213460043EA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:17.914{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B63B5E80BC6D6D6CAA93F39B5C8FBD,SHA256=3F6B9A660703B631D2B48294D0805CB25A51EA6332978E234058603DD3558F46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:17.882{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7BC1-6442-9206-00000000DC02}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:17.882{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:17.882{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:17.882{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:17.882{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:17.882{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7BC1-6442-9206-00000000DC02}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:17.882{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7BC1-6442-9206-00000000DC02}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:17.883{AF4EC832-7BC1-6442-9206-00000000DC02}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:17.829{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=256E680929D9FDED2F574123EC389BC4,SHA256=37ACCC66C768E1327B91802F8AEEB0DEF2716715FE9F8600E83BAFC9DF4CA936,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:17.413{AF4EC832-7BC1-6442-9106-00000000DC02}4688616C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:17.213{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7BC1-6442-9106-00000000DC02}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:17.213{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:17.213{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:17.213{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:17.213{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:17.213{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7BC1-6442-9106-00000000DC02}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:17.213{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7BC1-6442-9106-00000000DC02}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:17.214{AF4EC832-7BC1-6442-9106-00000000DC02}4688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000024157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:16.340{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50550-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000029059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:18.730{AF4EC832-7BC2-6442-9306-00000000DC02}67204064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:18.547{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7BC2-6442-9306-00000000DC02}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:18.547{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:18.547{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:18.547{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:18.547{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:18.547{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7BC2-6442-9306-00000000DC02}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:18.547{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7BC2-6442-9306-00000000DC02}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:18.546{AF4EC832-7BC2-6442-9306-00000000DC02}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:19.586{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:19.039{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5074F8B390C540C2A6D1ABE7880839,SHA256=A896119355B0EEE9BC98C2C0FD2E214CD3509E0881B7651C4B14E00270954FCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:16.211{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51781-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000029077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:19.904{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7BC3-6442-9506-00000000DC02}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:19.904{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:19.904{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:19.904{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:19.904{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:19.904{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7BC3-6442-9506-00000000DC02}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:19.904{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7BC3-6442-9506-00000000DC02}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:19.903{AF4EC832-7BC3-6442-9506-00000000DC02}4508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:19.776{AF4EC832-7BC3-6442-9406-00000000DC02}21286496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:19.283{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7BC3-6442-9406-00000000DC02}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:19.283{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:19.283{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:19.283{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:19.283{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:19.283{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7BC3-6442-9406-00000000DC02}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:19.283{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7BC3-6442-9406-00000000DC02}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:19.284{AF4EC832-7BC3-6442-9406-00000000DC02}2128C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:19.015{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C03CAB70A61CCADC07901580B1969E5F,SHA256=AA5DE4BD48BCC010CE34669A3D4B06983815155BFBCEC8CC2136A19562C4CC99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:20.155{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EC72963AC24BC723D8AC2F55F104068,SHA256=D87B7E9436066B38945E1BA9920248C6B1208C77B8BC0E42FB14CB43C377CFD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:20.776{AF4EC832-7BC4-6442-9606-00000000DC02}33442152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:20.576{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7BC4-6442-9606-00000000DC02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:20.576{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:20.576{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:20.576{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:20.576{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:20.576{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7BC4-6442-9606-00000000DC02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:20.576{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7BC4-6442-9606-00000000DC02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:20.577{AF4EC832-7BC4-6442-9606-00000000DC02}3344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:20.103{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4305F03B57A0F3EC0DB09DFB531D74DA,SHA256=C7733743672C29605F9C577C067C5C7EDC820C0AF2B59121404ED88E521BEB00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:21.109{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5AE2BD20D1296A74D032A214D1A7FEF,SHA256=F68A9C737AF6704295E5EB395E31E86498A543F7FF62894B0BEDACC628CB30CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:18.842{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50551-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000024161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:21.229{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9A52D22A015972FA87B90E05AA4289,SHA256=09FE67633AA97259EB579510990965199797178430CF6EEEA4046A6A03DF5FFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:22.306{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D352C4FAF3A0C62B7C8B7BB27531964,SHA256=82347492F9E444131900ED91C62120D0AE8F9616AC234742C71BEE6523F3C12F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:22.230{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D838E19678759B6AB8E9F51914B80D,SHA256=ABDD429E25085FF6D96D3F23B19A634D9F11F60D171711BE6E20D6D9B4B4C7E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:21.479{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50552-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:23.374{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1796B54014442D25E826582229BC860C,SHA256=5EC0EF24E4B7B933FE0F1B7DEDE9E92A0075CF52AAC1B7E0D721C0C3809BCFE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:23.261{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061E371B95687C7CF57F79015B1D74E1,SHA256=0CC3522AC9B86AA14EA4DE10A4C736AB5333ED297E192AE5E5B5B078D35DFBB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:24.443{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C9C54061BF4980F5D9ADD85105833A,SHA256=785314CEC708F39EC37A63A536ACFED984B6CEFA2F89146E4D13F5EF03599C1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:24.292{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A9EDA2998816608E2A77A5ABBB855F,SHA256=60AD9BCD44EF13DB9E58E569B0ADBF103C95B04D1B1AECF69D1580605F04E913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:25.544{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D866440FB26ACC6E93E39E84DB876D,SHA256=E20FB852CADBEEF967D4127E29A47264D03266FFFDC0FBA505DAD4B6F283CD35,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:22.226{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51782-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:25.346{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E11F2E47ADD041A103E9BFCE677322A,SHA256=C968CE21ABFF7AC5A52A5CBB1C94D049BF6093B647FC90F2A174E77A16FA3EAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:26.592{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C2A06E8F9CC8E80D6CBFB406FE380E6,SHA256=A1D53CC3606D0587D570F760F3A0EAE915255E11C7DC8737DC4D8B4DAF2353E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:26.393{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A67FD9F548EBF3B67AB5A1912C402741,SHA256=8FF569F1DFC37E19B18D94356EDC86796FB26F5AB96DAB287657F5E016A6AC2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:27.863{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8673111219D33D425B95BA7BDA2B7ECF,SHA256=1D7883B2DFFB06D29601CCBC0D6E55E83A4D68A65D38D3B0032C1B75A6F54B62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:27.710{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58C189BA8367643C22F12A946CF35CC4,SHA256=44F1B545501AAADA4B50AAF0CC374D633F6B3D476FA02716CB767E4369585A03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:27.762{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:27.546{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E26F39D023A53CD018DA20CF01ED15,SHA256=72CBE63CA632D34B2C6E990CEE372BEA243CCDDEEF1D0F0FE58110DCD6D7A95E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:28.813{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74BC284B159F664F143B3D373EB4D27D,SHA256=D3024DF2D5260890B8EAFE2C38DC3794E231B03FCA31955ED984CFE42B4C8FC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:28.596{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-067MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:28.562{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51EB1CB55328FA7D3B7E954D0E10574,SHA256=07C6FD65B22D8C53382852C7FE30C7AE6265D28751DC3DB529A3597C5E8717D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:29.938{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=257FFB7E4B36E727B10723696E977B25,SHA256=329A8F05CB2ADD6719036EE478519955EE9AB9B272BF72534739D1AA181D147E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:25.811{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51783-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000029101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:29.694{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D131B9AAE230680A9FB7CA483F6BEEEC,SHA256=A0AB7FB978FE9CFC6257E00B2B401A0FCCC063ED665FB55802975F92BC8E03B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:29.595{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-068MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:30.966{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87467A9D65D407CA9A00EE5071C55C6E,SHA256=E65B8EECD66CC10815570381D5F8D5E6DE470E1D5776CA48FB04CE15A2B4B009,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:27.307{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50553-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:30.679{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E591BD2539B508BA54829311C8230CC,SHA256=5F4E633F29A66EE1DCA4F90A8270C19C4C438E41B0A48A93078F556DF71E0776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:30.379{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2E3DA3634296889D2B15A687A83C65A0,SHA256=E157461177FF2A0CB404918D7ED66227F364CFE356FB8B9540D377C626FC2E3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:30.202{AF4EC832-6B63-6442-1600-00000000DC02}13366020C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:30.202{AF4EC832-6B63-6442-1600-00000000DC02}13366020C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:31.712{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60956B46EF0D134375F0FF7E9CC149A5,SHA256=09ADA32BB33843D4B02DA918062D6441465562FDA315211DD2B43D2BA52C8E5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:27.227{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51784-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:32.863{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402EE8216201CFC57F7E5C88043C523F,SHA256=135F6AB0E16F53D73D18B1E4FFB543EF7DF4D0AEF9225746C49EEE46CF4B5029,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1A00-00000000DD02}1928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1A00-00000000DD02}1928C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7193-6442-7801-00000000DD02}4768C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.198{223CB5FF-6DE2-6442-0D00-00000000DD02}792812C:\Windows\system32\svchost.exe{223CB5FF-7195-6442-7901-00000000DD02}4892C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000024175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.067{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36F4DE8EC4579804B3A5B7D92BE5711,SHA256=7D195558AD30D0D69EB94CB84BFC097B2ED176DC80468B78853B94091FE57681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:33.468{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=341C0B85FF1B6F21E39B82515458C8F0,SHA256=E557907EA54AFBAFB5D275DE119A160F19B1FB759C94A9C4CBD8A35E394AB634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:33.980{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B03A0FDF7F28A6FF5FFF353A09DB9F0,SHA256=34334487527C46B606592B9B4D188A8BEBC121F0953CCE50755856B9FEC5D648,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:33.464{AF4EC832-6B60-6442-0B00-00000000DC02}628676C:\Windows\system32\lsass.exe{AF4EC832-6B5D-6442-0100-00000000DC02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97952|C:\Windows\system32\kerberos.DLL+79c68|C:\Windows\system32\kerberos.DLL+1458f|C:\Windows\system32\lsasrv.dll+2fb61|C:\Windows\system32\lsasrv.dll+2da46|C:\Windows\system32\lsasrv.dll+332d9|C:\Windows\system32\lsasrv.dll+30c27|C:\Windows\system32\lsasrv.dll+2fb61|C:\Windows\system32\lsasrv.dll+17bcd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e 354300x800000000000000024212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:32.539{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50554-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:34.668{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D95698C0070F23529E6D0D4375DA6D7,SHA256=0A9989CEA221DC14AE70BBBFC137CD5F771FE3078C866D18679D55CFFD78E20C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:34.565{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB2CD4C0707224B4CF14C242B2BD6CE7,SHA256=460FDF7938824B54510CFDE4C354E30429494160D7572C9E45B5F6365D2BC285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:35.783{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54BD12F58ED46CF3EA7AA18C1C25F115,SHA256=0AC1E9057E61AF93C23013E05194C76C2BEB3C5C8EC179B07B89F9C75B9A7EE5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:31.529{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51785-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local445microsoft-ds 354300x800000000000000029114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:31.529{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51785-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local445microsoft-ds 23542300x800000000000000029113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:35.013{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5135EF651B0021077534F5F450DB7177,SHA256=C66E5C9AD4ED1B63BE3F4E3B79E48D7D45D7EF3817BB4728DB47072BF121F3D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:36.940{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2A50C15D46F88F0108D45FD072B89D0,SHA256=D9FD329B7DCBF2AE675AEFF9370C9C430FDA50FB3526FBD2665BDAF65835164E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:32.293{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51786-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:36.114{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F544AD9442765F13DB0FDA0D2A5C84,SHA256=7A50175891F4740EB922E8624ECEC83A6E6DBDF0E61E0E74AE649DE94D347061,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:37.953{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B81BD962FD116ACE36DCBC0B8909A2,SHA256=4D7500061E9F64AF62CCDA6CA3E36F7CD19A5791E305176B11E8D4FA0D6FFE74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:37.700{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-057MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:37.250{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3335A4CDDE2352B1C5A330B5FA2ABAA6,SHA256=134689C674E421DA938C464CE73B0C88D5EDD76224034FD607AD66C6F616A564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:38.366{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D88463A1EB8E6F1B749B4B5176563692,SHA256=9A5FFBFB4966BC77091594BDEF5A1725920FFE0AA1BD75765A0F72782DF65507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:38.701{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-058MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:39.383{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5144C3CD6E0DD812920592825491D3,SHA256=92C5557751773F0A1F86801ECE92DFD361A9ABDAEB39AF6532C12A46C01FEAC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:38.999{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F429AC835CAD0B64FB96A3B013BBC97C,SHA256=31D8316CB497DB97ED0B45F1B57E46997934692DBA0A37C2F7E295836AFEDB24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:40.416{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8077770040BE57B207F35E254DE298E,SHA256=A34675042F46AEB227F3FF08D1558963FDEA7C0D2DB5B8F6D7DB278C2DCD0729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:40.016{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF2FDA52F6BCEB5C55DE6C3E1291293,SHA256=F6ED73AB588DBE63A39A9913FEA7D0A2CCF92B3E8F6478BA7DD730EB2EC4BE8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.899{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16389B7D60E312F1AF93A08F81C5AAD,SHA256=78EAD561077CE59CADECD34FB9EEB423DA6AF71DEE7F421B2CFEA4C53B787D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:41.052{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=145F80BF6FD2A009A5FA4C25D6E1C123,SHA256=001BF889007B07487CCF3EB6B7951E7705906EA5BB3B3FB6601AA0A9ADC92262,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+395da|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-717E-6442-1F05-00000000DC02}3720C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.416{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7188-6442-2D05-00000000DC02}4548C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.415{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.415{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:41.415{AF4EC832-6B63-6442-0D00-00000000DC02}896916C:\Windows\system32\svchost.exe{AF4EC832-7189-6442-2E05-00000000DC02}2900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+394b4|c:\windows\system32\rpcss.dll+2b26e|c:\windows\system32\rpcss.dll+2a203|c:\windows\system32\rpcss.dll+45170|c:\windows\system32\rpcss.dll+45562|c:\windows\system32\rpcss.dll+47e6f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:42.917{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148FD4370396D3EBEB84B8BF986751B4,SHA256=63DA0ABD7FAB1C3F4E7234884373784D841CE7DC1CC586E73E62714BB16B399C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:42.167{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE37269EA4CD500429265F477537BB09,SHA256=06AD62A74E87411BF5829A41FFE7E6D750E549F58491F41399020578E5392757,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:38.423{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50555-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000029154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:38.278{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51787-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:43.197{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D986DBE550AAAC09D0F6A2C5083AD5DD,SHA256=7FB2995D23B1A5D49EAC2B4729CBDADE69EA9EB3C7E60CAE013084C259250D6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:44.249{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5206CF3FA478708A6DFF5A916918A5C,SHA256=6645C10F73EB37672E508C5CC78F30817E11AA291261138EED901C64E66AC453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:44.033{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE3F60D55E5C2C66EC94368D67873616,SHA256=5278552A02A43E5A2846E7C7C22096DA661CB706F3F22E19DF9EB51DA42CD806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:45.313{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4493F7FCCEF743B67A5C4CAA8338CBD1,SHA256=F5C1332255095569F3102AC5B5A064C0092EA814614847E7AA577B54C2218917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:45.253{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=900A8CE9939958D28EADB08F472E0384,SHA256=3544F4B685727A43B76C08F421E8022DA986F6F800E373C0BE7F56DB2FDFD71A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:45.084{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99C8BAAB9626A737A97F3911EE6F6A31,SHA256=426ED0BD84E2BB16198522D9D3AE6B3CFCD4264F8F52B527EF7FB29881816D98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:46.747{223CB5FF-718D-6442-6A01-00000000DD02}35963148C:\Windows\Explorer.EXE{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+d30b0|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801B85081E8)|UNKNOWN(FFFF864080E77DA8)|UNKNOWN(FFFF864080E77F27)|UNKNOWN(FFFF864080E725B1)|UNKNOWN(FFFF864080E73F7A)|UNKNOWN(FFFF864080E72236)|UNKNOWN(FFFFF801B8176D03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d690b|C:\Windows\System32\SHELL32.dll+11d7ba|C:\Windows\System32\SHCORE.dll+33fbd 10341000x800000000000000024230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:46.747{223CB5FF-718D-6442-6A01-00000000DD02}35963148C:\Windows\Explorer.EXE{223CB5FF-7358-6442-CF01-00000000DD02}2316C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+d2b91|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9834|UNKNOWN(FFFFF801B85081E8)|UNKNOWN(FFFF864080E77DA8)|UNKNOWN(FFFF864080E77F27)|UNKNOWN(FFFF864080E725B1)|UNKNOWN(FFFF864080E73F7A)|UNKNOWN(FFFF864080E72236)|UNKNOWN(FFFFF801B8176D03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+d690b|C:\Windows\System32\SHELL32.dll+11d7ba|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000024229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:46.747{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF36b2de.TMPMD5=1F4BD192F37F455E666A6F524978A45F,SHA256=3DEDCE8C8A9850C8DCE400D84B20A73ED72ADA56B93AD8EDCC0D71F32CCC9E94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:46.720{223CB5FF-7358-6442-CF01-00000000DD02}2316WIN-HOST-CTUS-A\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\6chvkpgv.default-release\datareporting\aborted-session-pingMD5=24C89A8FC2619D1413CE2CB7D057348F,SHA256=081CAB9D990D7128C2F1F5DED2CEC22CAB0B8F8C601ADA67D3977A1C021457D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:46.436{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01FEC1DE2D01FE2564ABBF536A136E06,SHA256=9B44DA452C0349C09C92230112B01935B451F3FD5FF80C34AEFA781FE5850822,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:43.280{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51788-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:46.118{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C64949C34A36CA690062B00AE3C6302,SHA256=3D1273C24B072C2143FB4F01C82B6AD9E54A2BED14AEB0A202C35CE3BF917E12,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:43.520{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50556-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:47.478{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B9A1295DC611E32CE4C32EED64A908,SHA256=5ED0B89D42D895C2A106CAC7C55E5B3EFC32EEDAF77A88F99209F3884255F662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:47.918{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1A547D775E2950F6E0B3E4B7066AE88B,SHA256=776C5CC4B22ACA577E5485BE8A61EDF33404AC36EA9F13CC3024C1607A287348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:47.154{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E70E5F0809D36C72D95CB76889F660E,SHA256=793D2825931F45CA50E50366FE1BE387009C7D1921037D4CE39BE0A9C2A4F63F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:48.594{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B165DE71DAEC0C1261ADBF5B1E0D39D9,SHA256=261DBCFA65E8C1E911346941940272173AD0B1CC2889B0D6114DF4F641846C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:48.186{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1D0C70174DC0BC02E2437EBD42C796B,SHA256=48EB7E4FFDF083B61E18FD98EF0F090637D997D47A335005D478DD4D3CBED44A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:49.635{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB48FAA975E02E81032B3B4B6DA1D564,SHA256=E1B497C0C0678F1D1A3042100D63B95FAB58E19FD42441BE8FEB648CD8400A31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:49.202{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F4965CE4C5528822128C48F12B2623,SHA256=578A756FED620A29D95FB7AC7579FC1F14A33721C67F6C7FBD3C1902B693535C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:50.692{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=299D7C5E772771430FE26235F02A8E21,SHA256=42DA0083D479040B0010D3DF414B02E9C113E1492DA68000FC40F59B7E315AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:50.286{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=627AB7E34CFC760BB5C86B297C581B06,SHA256=20A7F6547578BEC48FE4CA546C8FF5CE065A66B4C365EE997E51A724E6464CE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:51.734{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8910606973CB2997142668112B41472C,SHA256=3F2B51607712330CC285EE02C66F5B9F26433050684F91A625A294F3AB35DE9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:51.320{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F74FB11CA6C0A48CB80F54D4055F23E,SHA256=BEAE11E2FD63E114FABAA8F74A471152DC2A9DFD50CA45083933FE2980A54EA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:48.533{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50557-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:52.875{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F2892DE56803403083F2DD879078181,SHA256=A706D996FCDEA16AF763DB7B35C212874A7701A5CFC391CC9675D43377FD23A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:49.134{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51789-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:52.436{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57108971FDE6578A4EB9D9F35E7273AE,SHA256=9B5BF0E2EFF90F304B74927C3C5F32F9826E870A753224669B5EC7B564957B2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:53.908{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C2C59E17BFCA6AA3AD58964FAAD00B,SHA256=BB9C8F8579DC5337745BD11FCD68C0A804618300DCA03F4E43D76A5086801DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:53.521{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D925CF56871E8F660D5A414803F64BA6,SHA256=62136DBC7FA79B5467D6E1D657DEA4D1A93066E0E14ED9E5F16E897AE5E85BEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:54.638{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=679E0ADB99F0E991A8D228AB4E729F26,SHA256=572D2F7E9A6823D4A4531D5ACC5A01EA14B2C87C2A826700EC651F82A5C0466D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:55.031{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08B5F9F7EABB9EFF32BA35C15E4D6687,SHA256=ED3D310CC4ADA67F3739472C80E6139CC5E6FC32BFBFA608687B56EF57A8F280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:55.690{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B549F148A2113A6BD27BBD6B72D7B31A,SHA256=DEC0E802ED7AE9D8052B0CBE3E28D0C9745D61ACF2D97D8C628981C98A03A8E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:56.706{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D2C344D35C7B528BF67A34881FDAE6,SHA256=9650B0241128D33A458B40FA355E10256769E16BB1CDE3E20220E540DC72C9E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:56.430{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7BE8-6442-5A03-00000000DD02}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:56.430{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:56.430{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:56.430{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:56.430{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:56.430{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7BE8-6442-5A03-00000000DD02}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:56.430{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7BE8-6442-5A03-00000000DD02}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:56.431{223CB5FF-7BE8-6442-5A03-00000000DD02}6912C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:56.173{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5EB5C91498A2AF3F38B71CF5C9171EF,SHA256=20180F296B4FC96C48D96BCDF9001D8486788C55DE5A96681F84142177C2F766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:57.744{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E96E5ED5272083C164948BCBD13265,SHA256=3A20B226D463CB80265CF8DB7B6135A5B5D9D7FE16D0DED96FC4DD5526520212,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:57.972{223CB5FF-7BE9-6442-5C03-00000000DD02}3767140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:57.807{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7BE9-6442-5C03-00000000DD02}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:57.805{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:57.805{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:57.805{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7BE9-6442-5C03-00000000DD02}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:57.805{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:57.805{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:57.804{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7BE9-6442-5C03-00000000DD02}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:57.804{223CB5FF-7BE9-6442-5C03-00000000DD02}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000024260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:54.276{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50558-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:57.457{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6417DB028C12F35A10283B744E89C95F,SHA256=A7B5CFF786862E5695A0F0B679200FDD89660C26DD767057236072DE52B2B936,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:57.308{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7BE9-6442-5B03-00000000DD02}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:57.306{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:57.306{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:57.306{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:57.306{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:57.305{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7BE9-6442-5B03-00000000DD02}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:57.305{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7BE9-6442-5B03-00000000DD02}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:57.305{223CB5FF-7BE9-6442-5B03-00000000DD02}6924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:57.208{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E747E42A6DEFFD9EDF1493D4C7BB4946,SHA256=BEE300E1B072581106D5DF4A7D9952C572DFCF840F969590F19F54E5A27A96A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:54.137{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51790-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:58.791{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D32F7B340E8FD7BB966F860BB14FB524,SHA256=ABFD5C277DAA18B58E60085E842DC001ACEF948B61EA0452108C7021C56168AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:58.702{223CB5FF-7BEA-6442-5D03-00000000DD02}29166100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:58.488{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7BEA-6442-5D03-00000000DD02}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:58.488{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:58.488{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:58.488{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:58.488{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:58.488{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7BEA-6442-5D03-00000000DD02}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:58.488{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7BEA-6442-5D03-00000000DD02}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:58.488{223CB5FF-7BEA-6442-5D03-00000000DD02}2916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:58.257{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B135D6589DA892ADF69B51E270D876C5,SHA256=AFCCBAE23FEB080303ADACBF419018212309D8A474C52A7C73CEFAF042FD2E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:58.105{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C58E00F1D8ED2C523D1C0D19DD13DC11,SHA256=A387BBDCCC233805A80E6815868EF4EEAD759319662D8439B5BBADC48B91346D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:59.824{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D6CFC52547717BCF972D3DDB6C85AD,SHA256=E1A0A604C0778FA10EA78C7654B9D372258CBAD889FF5E8A3B03FA6EB5BC4A0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:59.388{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0426B2516765A40EF02CCA4A77C3055,SHA256=C11B08998CDD3410E1C98A081C9A9C70489CD0FDC2B2DE1BF883A80A251254A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:59.388{223CB5FF-7BEB-6442-5E03-00000000DD02}49841700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:59.676{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B16B07737E0B4193E05A5C9AF2A9F29,SHA256=9267DAB65BA1B008C36897E4CADA52FA33355552A5647B945761D2C5B566E41D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:59.156{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7BEB-6442-5E03-00000000DD02}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:59.156{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:59.156{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:59.156{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:59.156{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:59.156{223CB5FF-6DE1-6442-0500-00000000DD02}420536C:\Windows\system32\csrss.exe{223CB5FF-7BEB-6442-5E03-00000000DD02}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:59.156{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7BEB-6442-5E03-00000000DD02}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:59.157{223CB5FF-7BEB-6442-5E03-00000000DD02}4984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:00.986{223CB5FF-7BEC-6442-5F03-00000000DD02}63841836C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:00.771{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7BEC-6442-5F03-00000000DD02}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:00.771{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:00.771{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:00.771{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:00.771{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:00.771{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7BEC-6442-5F03-00000000DD02}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:00.771{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7BEC-6442-5F03-00000000DD02}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:00.772{223CB5FF-7BEC-6442-5F03-00000000DD02}6384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:00.429{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D361947688A70F58C575564B0E8C13B1,SHA256=8445B43DF49DCBFA99FDF13F8AC297199F936FF48A2CAE0496D3FF39E16E8A8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:00.860{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E605401DD82E1BFD71F4A51B01F345F5,SHA256=1CF506596C623F8926BDF07F0778727D0FD0895895D595375224B734154503C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:56.654{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51791-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000029178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:04:56.654{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51791-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000029181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:01.977{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C4C5AA60991A92FBAC1A303E8E8E3E,SHA256=2EBF5C7D15DED74B3100B894DE01061EBF2166C7767DA0B5B96DAD05C22D1605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:01.459{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA49F88EAB397B825F3C4C8763B33D0,SHA256=04A0919CA008C4C86FF6F71503C4D205549A131F80047782B1FBDFC2CCDC9D1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:01.444{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7BED-6442-6003-00000000DD02}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:01.444{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:01.444{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:01.444{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:01.444{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:01.444{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7BED-6442-6003-00000000DD02}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:01.444{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7BED-6442-6003-00000000DD02}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:01.444{223CB5FF-7BED-6442-6003-00000000DD02}6420C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:02.993{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A62F0DBC74ABEFC08EBE6D4C67FD58C6,SHA256=3F74474243BFB86EBF00D5931FB7AC82638EDD058E627FA03FBFEB5A39123CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.564{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B59F273B1057FB1E9052F9D9F1DF01EC,SHA256=F0A558020109387E17297CA26304BE22382F29D478C8903B5A9FEF415122AF1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:04:59.401{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50559-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000024351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.386{223CB5FF-7BEE-6442-6203-00000000DD02}69564552C:\Windows\system32\conhost.exe{223CB5FF-7BEE-6442-6403-00000000DD02}6232C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.386{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.386{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.386{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.386{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.386{223CB5FF-7189-6442-5701-00000000DD02}28642888C:\Windows\system32\csrss.exe{223CB5FF-7BEE-6442-6403-00000000DD02}6232C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.386{223CB5FF-7BEE-6442-6103-00000000DD02}62726276C:\Windows\system32\cmd.exe{223CB5FF-7BEE-6442-6403-00000000DD02}6232C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.392{223CB5FF-7BEE-6442-6403-00000000DD02}6232C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 10341000x800000000000000024343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.371{223CB5FF-7BEE-6442-6203-00000000DD02}69564552C:\Windows\system32\conhost.exe{223CB5FF-7BEE-6442-6303-00000000DD02}6152C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.371{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.371{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.371{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.371{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.371{223CB5FF-7189-6442-5701-00000000DD02}28642496C:\Windows\system32\csrss.exe{223CB5FF-7BEE-6442-6303-00000000DD02}6152C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.371{223CB5FF-7BEE-6442-6103-00000000DD02}62726276C:\Windows\system32\cmd.exe{223CB5FF-7BEE-6442-6303-00000000DD02}6152C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.378{223CB5FF-7BEE-6442-6303-00000000DD02}6152C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 0C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 10341000x800000000000000024335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.355{223CB5FF-718D-6442-6A01-00000000DD02}35962788C:\Windows\Explorer.EXE{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0815|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.355{223CB5FF-718D-6442-6A01-00000000DD02}35962788C:\Windows\Explorer.EXE{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e072e|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.355{223CB5FF-718D-6442-6A01-00000000DD02}35962788C:\Windows\Explorer.EXE{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e06f7|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.355{223CB5FF-718C-6442-6501-00000000DD02}40162116C:\Windows\system32\taskhostw.exe{223CB5FF-7BEE-6442-6203-00000000DD02}6956C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.355{223CB5FF-718C-6442-6501-00000000DD02}40162116C:\Windows\system32\taskhostw.exe{223CB5FF-7BEE-6442-6203-00000000DD02}6956C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.322{223CB5FF-718D-6442-6A01-00000000DD02}35964380C:\Windows\Explorer.EXE{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0815|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.322{223CB5FF-718D-6442-6A01-00000000DD02}35964380C:\Windows\Explorer.EXE{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e072e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.322{223CB5FF-718D-6442-6A01-00000000DD02}35964380C:\Windows\Explorer.EXE{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e06f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.321{223CB5FF-718D-6442-6A01-00000000DD02}35964380C:\Windows\Explorer.EXE{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.312{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7BEE-6442-6203-00000000DD02}6956C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0ea0|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.312{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7BEE-6442-6203-00000000DD02}6956C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+bb490|C:\Windows\System32\SHELL32.dll+e0e5c|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.312{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7BEE-6442-6203-00000000DD02}6956C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e0e30|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.311{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7BEE-6442-6203-00000000DD02}6956C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12c9d9|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.278{223CB5FF-6DE2-6442-1100-00000000DD02}9682340C:\Windows\system32\svchost.exe{223CB5FF-7BEE-6442-6203-00000000DD02}6956C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.278{223CB5FF-6DE2-6442-1100-00000000DD02}9681148C:\Windows\system32\svchost.exe{223CB5FF-7BEE-6442-6203-00000000DD02}6956C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.262{223CB5FF-7BEE-6442-6203-00000000DD02}69564552C:\Windows\system32\conhost.exe{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.247{223CB5FF-7189-6442-5701-00000000DD02}286496C:\Windows\system32\csrss.exe{223CB5FF-7BEE-6442-6203-00000000DD02}6956C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.247{223CB5FF-6DE2-6442-1200-00000000DD02}1041008C:\Windows\System32\svchost.exe{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+452ce|C:\Windows\System32\RPCRT4.dll+27d07|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.247{223CB5FF-6DE2-6442-1200-00000000DD02}1041008C:\Windows\System32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+452ce|C:\Windows\System32\RPCRT4.dll+27d07|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.247{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.247{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.247{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.247{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.236{223CB5FF-7189-6442-5701-00000000DD02}28642496C:\Windows\system32\csrss.exe{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.236{223CB5FF-718D-6442-6A01-00000000DD02}35966212C:\Windows\Explorer.EXE{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\System32\windows.storage.dll+5ce6f|C:\Windows\System32\windows.storage.dll+5cae5|C:\Windows\System32\windows.storage.dll+5c5d6|C:\Windows\System32\windows.storage.dll+5da48|C:\Windows\System32\windows.storage.dll+5c3fe|C:\Windows\System32\windows.storage.dll+5ef9d|C:\Windows\System32\windows.storage.dll+5f6dc|C:\Windows\System32\windows.storage.dll+5ea40|C:\Windows\System32\windows.storage.dll+17261e|C:\Windows\System32\windows.storage.dll+172312|C:\Windows\System32\SHELL32.dll+4c929|C:\Windows\System32\SHELL32.dll+4b4d6|C:\Windows\System32\SHELL32.dll+6d049|C:\Windows\System32\SHELL32.dll+e480e|C:\Windows\System32\SHELL32.dll+15474c|C:\Windows\System32\SHELL32.dll+1544a3|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:02.246{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" "C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x800000000000000024355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:03.614{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CD3158A8538227365E837E75DB3DB03,SHA256=3011E92A2112F967423C3658A3450CECD3B29DAE2C38C287301B6EDE316E2D31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:03.364{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9479D87CB12431F763E974992345CDC,SHA256=C09F9B89BEF782838B43283EEE1C2E32F173EA3A99859087C01F6CAD47C67282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:04.764{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4E4C3A2D55E8D7CBA80F1B75C6ABC45,SHA256=E8ACC71D984A406A7F63B8A3FF715776DF8FCA2272953BF4D2CEE62100A5F6E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:00.155{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51792-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:04.026{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5294F01F596BD16EA1C3301DD52BA2E,SHA256=44F589CF5A6D6638D6FA9E83BDF8592D4DF2FD2D5451FD9ABEA2CE3E9652C92A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:05.912{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1A742711FC22A04888B1E11D494BEDB,SHA256=9EB493EF3958559EFEBDB467EFA236A4099214793923C68D7DFDDEC5732FB86B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:05.178{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A0EBCCC73ECADE213DFE6ED0A1376FF,SHA256=16FFFF102185DB0449E4BD04A663EF283FBCD099409F229E3D7525D54D4DC6B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:06.963{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE66AD28AE3D31731DE1DE9C9B227439,SHA256=0B1F7A6EE6CC2A1E03213ACAEDCDFEB5135A5CC8384BFD109C681427F72162F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:06.309{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E377054A521D7CF6663F943C5B8CE3B7,SHA256=39F9B511328DA05CCCE8F7F8446DFD53B332400C1343DBE86AD566F33D8CA89E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:06.037{223CB5FF-7BEE-6442-6203-00000000DD02}69564552C:\Windows\system32\conhost.exe{223CB5FF-7BF2-6442-6503-00000000DD02}6636C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:06.037{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:06.037{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:06.037{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:06.037{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:06.037{223CB5FF-7189-6442-5701-00000000DD02}286496C:\Windows\system32\csrss.exe{223CB5FF-7BF2-6442-6503-00000000DD02}6636C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:06.037{223CB5FF-7BEE-6442-6103-00000000DD02}62726276C:\Windows\system32\cmd.exe{223CB5FF-7BF2-6442-6503-00000000DD02}6636C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:06.043{223CB5FF-7BF2-6442-6503-00000000DD02}6636C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:05:06.037{223CB5FF-7BEE-6442-6403-00000000DD02}6232C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpywareDWORD (0x00000001) 23542300x800000000000000029187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:07.427{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA1FA6121FE79F958B228F50DD1D540,SHA256=B97EE9FE57804A07A78B3B36649B209A978694225597324AE7138BB523C6DC53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:07.820{223CB5FF-7BEE-6442-6203-00000000DD02}69564552C:\Windows\system32\conhost.exe{223CB5FF-7BF3-6442-6603-00000000DD02}6984C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:07.820{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:07.820{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:07.820{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:07.820{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:07.820{223CB5FF-7189-6442-5701-00000000DD02}286496C:\Windows\system32\csrss.exe{223CB5FF-7BF3-6442-6603-00000000DD02}6984C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:07.820{223CB5FF-7BEE-6442-6103-00000000DD02}62726276C:\Windows\system32\cmd.exe{223CB5FF-7BF3-6442-6603-00000000DD02}6984C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:07.832{223CB5FF-7BF3-6442-6603-00000000DD02}6984C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:05:07.820{223CB5FF-7BF2-6442-6503-00000000DD02}6636C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoringDWORD (0x00000001) 354300x800000000000000024382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:05.334{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50560-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000024381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:07.021{223CB5FF-6DE1-6442-0B00-00000000DD02}6444144C:\Windows\system32\lsass.exe{223CB5FF-6DE2-6442-1600-00000000DD02}1236C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:07.021{223CB5FF-6DE1-6442-0B00-00000000DD02}6444144C:\Windows\system32\lsass.exe{223CB5FF-6DE2-6442-1600-00000000DD02}1236C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000024379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:05:07.016{223CB5FF-6DE2-6442-1300-00000000DD02}288C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bd560479-90fe-4493-b3f7-ae4cd7e637fc}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x800000000000000024378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:05:07.016{223CB5FF-6DE2-6442-1300-00000000DD02}288C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bd560479-90fe-4493-b3f7-ae4cd7e637fc}\IsServerNapAwareDWORD (0x00000000) 13241300x800000000000000024377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:05:07.016{223CB5FF-6DE2-6442-1300-00000000DD02}288C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bd560479-90fe-4493-b3f7-ae4cd7e637fc}\AddressTypeDWORD (0x00000000) 13241300x800000000000000024376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:05:07.016{223CB5FF-6DE2-6442-1300-00000000DD02}288C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bd560479-90fe-4493-b3f7-ae4cd7e637fc}\LeaseTerminatesTimeDWORD (0x64428a03) 13241300x800000000000000024375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:05:07.016{223CB5FF-6DE2-6442-1300-00000000DD02}288C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bd560479-90fe-4493-b3f7-ae4cd7e637fc}\T2DWORD (0x64428841) 13241300x800000000000000024374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:05:07.016{223CB5FF-6DE2-6442-1300-00000000DD02}288C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bd560479-90fe-4493-b3f7-ae4cd7e637fc}\T1DWORD (0x644282fb) 13241300x800000000000000024373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:05:07.015{223CB5FF-6DE2-6442-1300-00000000DD02}288C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bd560479-90fe-4493-b3f7-ae4cd7e637fc}\LeaseObtainedTimeDWORD (0x64427bf3) 13241300x800000000000000024372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:05:07.015{223CB5FF-6DE2-6442-1300-00000000DD02}288C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bd560479-90fe-4493-b3f7-ae4cd7e637fc}\LeaseDWORD (0x00000e10) 13241300x800000000000000024371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:05:07.015{223CB5FF-6DE2-6442-1300-00000000DD02}288C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bd560479-90fe-4493-b3f7-ae4cd7e637fc}\DhcpServer10.0.1.1 13241300x800000000000000024370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:05:07.015{223CB5FF-6DE2-6442-1300-00000000DD02}288C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bd560479-90fe-4493-b3f7-ae4cd7e637fc}\DhcpSubnetMask255.255.255.0 13241300x800000000000000024369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:05:07.015{223CB5FF-6DE2-6442-1300-00000000DD02}288C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bd560479-90fe-4493-b3f7-ae4cd7e637fc}\DhcpIPAddress10.0.1.15 13241300x800000000000000024368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-SetValue2023-04-21 12:05:07.015{223CB5FF-6DE2-6442-1300-00000000DD02}288C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{bd560479-90fe-4493-b3f7-ae4cd7e637fc}\DhcpInterfaceOptionsBinary Data 23542300x800000000000000029188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:08.464{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A51E54A473070E53C0B5671D75609240,SHA256=3F1B2934C196D37FDB48A0932B1D1F4F937FCD7E3DBE4707B0A877B970F416D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:08.935{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D213D411EAAAFC2214AA9642C04831A5,SHA256=9794D3119343D9A4F05C6F21729821EBD92F64A331278E58ED2B77AF3C9EB7F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:06.296{223CB5FF-6DE2-6442-1600-00000000DD02}1236C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:9810:1e90:8186:ffff-55491-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000024395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:06.296{223CB5FF-6DE2-6442-1600-00000000DD02}1236C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:dc41:9b95:eca1:b93awin-host-ctus-attack-range-328.us-east-2.compute.internal55491-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000024394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:06.284{223CB5FF-6DE2-6442-1300-00000000DD02}288C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal68bootpcfalse10.0.1.1ip-10-0-1-1.us-east-2.compute.internal67bootps 23542300x800000000000000024393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:08.035{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=204D82F61D13908F0EAA734147278468,SHA256=219EB59B9DE7504007F920D4B78C1B48D4FC4BADE5D677BDE4D733F437CAE025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:08.020{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2BAAF75D3A3D7976D4EEDCE73FAF4484,SHA256=324F289F56B063B1FB543F27FA75E8D6E9F3534528F021492DF088D02391746E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:09.611{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F85833618C60B2CB58C478B3D9BEF2F,SHA256=ADFA5746C0293E5A9B6F307B1B35067C41532A6F3644F920EEE745BCE64DFBCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:05.210{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51793-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000024409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:06.297{223CB5FF-766D-6442-4302-00000000DD02}5076C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse239.255.255.250-1900ssdpfalse127.0.0.1win-host-ctus-attack-range-32858896- 354300x800000000000000024408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:06.297{223CB5FF-766D-6442-4302-00000000DD02}5076C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse127.0.0.1win-host-ctus-attack-range-32858896-false239.255.255.250-1900ssdp 10341000x800000000000000024407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:09.219{223CB5FF-7BEE-6442-6203-00000000DD02}69564552C:\Windows\system32\conhost.exe{223CB5FF-7BF5-6442-6703-00000000DD02}7028C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:09.219{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:09.219{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:09.219{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:09.218{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:09.218{223CB5FF-7189-6442-5701-00000000DD02}28642496C:\Windows\system32\csrss.exe{223CB5FF-7BF5-6442-6703-00000000DD02}7028C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:09.218{223CB5FF-7BEE-6442-6103-00000000DD02}62726276C:\Windows\system32\cmd.exe{223CB5FF-7BF5-6442-6703-00000000DD02}7028C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:09.218{223CB5FF-7BF5-6442-6703-00000000DD02}7028C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:05:09.214{223CB5FF-7BF3-6442-6603-00000000DD02}6984C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtectionDWORD (0x00000001) 23542300x800000000000000024398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:09.092{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78071839AEE56C7989E969748919D4D2,SHA256=2352C2B15F51EF378630457478F5222C9645D1AC3578AA1A9341A76CDF4C9048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:10.644{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE9DF0A12BC6F83EC6C427C3581520C2,SHA256=B56B5E60D99FD036A4D9BE79901C9BEBE323AC67EA2E48072A520947803BBEC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:07.496{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal54178- 10341000x800000000000000024419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:10.991{223CB5FF-7BEE-6442-6203-00000000DD02}69564552C:\Windows\system32\conhost.exe{223CB5FF-7BF6-6442-6803-00000000DD02}5564C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:10.991{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:10.991{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:10.991{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:10.991{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:10.991{223CB5FF-7189-6442-5701-00000000DD02}286496C:\Windows\system32\csrss.exe{223CB5FF-7BF6-6442-6803-00000000DD02}5564C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:10.991{223CB5FF-7BEE-6442-6103-00000000DD02}62726276C:\Windows\system32\cmd.exe{223CB5FF-7BF6-6442-6803-00000000DD02}5564C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:10.992{223CB5FF-7BF6-6442-6803-00000000DD02}5564C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:05:10.976{223CB5FF-7BF5-6442-6703-00000000DD02}7028C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtectionDWORD (0x00000001) 23542300x800000000000000024410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:10.134{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3571892A11A5BD8204144A60E5AE35,SHA256=8D9E1EEA75668BE1C512F729D0DAE0B930C60734E3342E8DEFC9B45853EFEEA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:11.664{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D4AFECE33A95AF97519B5B23D07E480,SHA256=489D98946A889981421B508CA977A202EDED2E446573D4F8ACEF815B01DE7AD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:11.191{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D712C472E9098F11898AEB5E53EAD5CA,SHA256=29EBC23BE4ED47B22A42DC00DD6C433232E7ABE445A749CD2587EFF6618655BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:12.796{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E814608C94E69A8F287E8C30C3A0BD08,SHA256=AC02EF3A5B7D457ACFBA063B34EEB2AC76781C8AB18C5783C373B62CB3F14F67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:12.780{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:12.780{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000024431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:10.531{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50561-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000024430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:12.590{223CB5FF-7BEE-6442-6203-00000000DD02}69564552C:\Windows\system32\conhost.exe{223CB5FF-7BF8-6442-6903-00000000DD02}6836C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:12.590{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:12.590{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:12.590{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:12.590{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:12.590{223CB5FF-7189-6442-5701-00000000DD02}28645488C:\Windows\system32\csrss.exe{223CB5FF-7BF8-6442-6903-00000000DD02}6836C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:12.590{223CB5FF-7BEE-6442-6103-00000000DD02}62726276C:\Windows\system32\cmd.exe{223CB5FF-7BF8-6442-6903-00000000DD02}6836C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:12.590{223CB5FF-7BF8-6442-6903-00000000DD02}6836C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:05:12.574{223CB5FF-7BF6-6442-6803-00000000DD02}5564C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoringDWORD (0x00000001) 23542300x800000000000000024421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:12.208{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB780DC15AADA23650F501BFDCA904F1,SHA256=2DF7DD377C9558DDE69B0FBF47B2DCE8B48E58BA731E3E0E1BFDF8B5D0F7ECAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:13.829{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415CA7E7090A25DAC70F5D7CE70E09A1,SHA256=9B2338982702C7FB11C0D98112CBA494ED33F2E0B44B51BCC535AF50C6442C48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:13.891{223CB5FF-7BEE-6442-6203-00000000DD02}69564552C:\Windows\system32\conhost.exe{223CB5FF-7BF9-6442-6A03-00000000DD02}5980C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:13.891{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:13.891{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:13.891{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:13.891{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:13.891{223CB5FF-7189-6442-5701-00000000DD02}28645488C:\Windows\system32\csrss.exe{223CB5FF-7BF9-6442-6A03-00000000DD02}5980C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:13.891{223CB5FF-7BEE-6442-6103-00000000DD02}62726276C:\Windows\system32\cmd.exe{223CB5FF-7BF9-6442-6A03-00000000DD02}5980C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:13.896{223CB5FF-7BF9-6442-6A03-00000000DD02}5980C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:05:13.875{223CB5FF-7BF8-6442-6903-00000000DD02}6836C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnableDWORD (0x00000001) 23542300x800000000000000024432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:13.260{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEC305CC1146F860E15792183D36C065,SHA256=C16EB8CA501B69C0A3BC919E872DD84EC5176261798CAA6208EDCC0D65A9F671,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:14.949{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7BFA-6442-9706-00000000DC02}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:14.945{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:14.945{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:14.945{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:14.945{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:14.945{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7BFA-6442-9706-00000000DC02}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:14.945{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7BFA-6442-9706-00000000DC02}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:14.946{AF4EC832-7BFA-6442-9706-00000000DC02}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:14.865{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4137CC05BA34DB8E650A1C27A3E3673B,SHA256=8DA6DE1923D945E5D2AAA2BD0C1046A6E03AFCF758DD9CBAFFAB5893B4BB05F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:14.974{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D7D5034F48C73D5FB75FDE51B96D7B5,SHA256=4448EE8382F8FAC5FDBE601F9EBFFEE15F1F3707038BB3A40DA45C9FE1A06A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:14.313{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=258F57663B2960AF707E8DCBDA06F2D5,SHA256=F712DDD37CD19971E921C3748D0C0EBFDB8EC9896367D8146889D84BE6D84758,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:10.844{AF4EC832-6B63-6442-0D00-00000000DC02}896C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51795-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local135epmap 354300x800000000000000029199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:10.844{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51795-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local135epmap 354300x800000000000000029198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:10.289{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51794-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:15.981{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24CEF3078667550CE97E5C530D49EC6A,SHA256=427821A64183D564F11AEB0060559460D7F295B08FC0391F5BA3A0F86F82F282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:15.375{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1BE0FD28E48CEC9B5C1A14C65EA827,SHA256=36901FC0DFCD0865082843C4F9CC3FE61B5783E32E3B6F22EAB7F8E34885D012,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:15.190{223CB5FF-7BEE-6442-6203-00000000DD02}69564552C:\Windows\system32\conhost.exe{223CB5FF-7BFB-6442-6B03-00000000DD02}1648C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:15.190{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:15.190{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:15.190{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:15.190{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:15.190{223CB5FF-7189-6442-5701-00000000DD02}28642496C:\Windows\system32\csrss.exe{223CB5FF-7BFB-6442-6B03-00000000DD02}1648C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:15.190{223CB5FF-7BEE-6442-6103-00000000DD02}62726276C:\Windows\system32\cmd.exe{223CB5FF-7BFB-6442-6B03-00000000DD02}1648C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:15.201{223CB5FF-7BFB-6442-6B03-00000000DD02}1648C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d 2C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:05:15.190{223CB5FF-7BF9-6442-6A03-00000000DD02}5980C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotificationsDWORD (0x00000001) 10341000x800000000000000024463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:16.643{223CB5FF-7BEE-6442-6203-00000000DD02}69564552C:\Windows\system32\conhost.exe{223CB5FF-7BFC-6442-6C03-00000000DD02}6596C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:16.633{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:16.633{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:16.633{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:16.633{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:16.633{223CB5FF-7189-6442-5701-00000000DD02}28645488C:\Windows\system32\csrss.exe{223CB5FF-7BFC-6442-6C03-00000000DD02}6596C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:16.633{223CB5FF-7BEE-6442-6103-00000000DD02}62726276C:\Windows\system32\cmd.exe{223CB5FF-7BFC-6442-6C03-00000000DD02}6596C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:16.641{223CB5FF-7BFC-6442-6C03-00000000DD02}6596C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AutoInstallMinorUpdates" /t REG_DWORD /d 0C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:05:16.633{223CB5FF-7BFB-6442-6B03-00000000DD02}1648C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptionsDWORD (0x00000002) 23542300x800000000000000024454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:16.408{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A61AF51C88B3EDB88DFCF4A441098E,SHA256=ECC974494051E69F784FDD25891BD629F9ECBCAF756C5D8C14C1637B4180FC01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:16.030{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E92BA41C951474F17BC61112A5109D87,SHA256=CE3CD7B2F3FC99E35DFC098DF4A8BD6FCA478D7317BBCA26820EE3C2C8DAF922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:17.543{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14148B9D648DB3350F3AF7DD25A69F31,SHA256=68A49CF42F15097649459A49677942514A0A59809909F6C37D5B1F1C06C87D26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:17.814{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7BFD-6442-9906-00000000DC02}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:17.814{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:17.814{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:17.814{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:17.814{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:17.814{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7BFD-6442-9906-00000000DC02}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:17.814{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7BFD-6442-9906-00000000DC02}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:17.815{AF4EC832-7BFD-6442-9906-00000000DC02}2132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:17.367{AF4EC832-7BFD-6442-9806-00000000DC02}63246376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:17.151{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7BFD-6442-9806-00000000DC02}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:17.147{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:17.147{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:17.147{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:17.147{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:17.147{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7BFD-6442-9806-00000000DC02}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:17.147{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7BFD-6442-9806-00000000DC02}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:17.148{AF4EC832-7BFD-6442-9806-00000000DC02}6324C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:16.997{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34176A327D54B6D824D56699A6EA3C5A,SHA256=C26827A20A6BD5338382C1E68D7BE5A54520C14962ABA9AD19F177C0E2423A63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:16.345{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50562-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:18.574{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=023D581FA3394F1D7724FF1BDB277E58,SHA256=3791DEE253F58E0FC4C511D0FD55EC5193E69D57732038FE0002009702E3A1E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:18.684{AF4EC832-7BFE-6442-9A06-00000000DC02}35321724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:18.483{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7BFE-6442-9A06-00000000DC02}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:18.483{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:18.483{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:18.483{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:18.483{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:18.483{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7BFE-6442-9A06-00000000DC02}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:18.483{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7BFE-6442-9A06-00000000DC02}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:18.484{AF4EC832-7BFE-6442-9A06-00000000DC02}3532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:18.131{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D68CD63CABEA0A0606F4345BFF2BFB3,SHA256=F34B71D5B2AD5793B3C36FB85435BAC97BFF1B324F3812A87F8BD4EA371B1BB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:18.052{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8994991DC75136756B512277B415E8C2,SHA256=81F25F213C6D9BBBB3181D3832F40BEECFE327B1223F682EAACEA247627574CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:18.290{223CB5FF-7BEE-6442-6203-00000000DD02}69564552C:\Windows\system32\conhost.exe{223CB5FF-7BFE-6442-6D03-00000000DD02}4080C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:18.290{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:18.290{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:18.290{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:18.290{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:18.290{223CB5FF-7189-6442-5701-00000000DD02}28642496C:\Windows\system32\csrss.exe{223CB5FF-7BFE-6442-6D03-00000000DD02}4080C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:18.290{223CB5FF-7BEE-6442-6103-00000000DD02}62726276C:\Windows\system32\cmd.exe{223CB5FF-7BFE-6442-6D03-00000000DD02}4080C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:18.294{223CB5FF-7BFE-6442-6D03-00000000DD02}4080C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:05:18.274{223CB5FF-7BFC-6442-6C03-00000000DD02}6596C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\AutoInstallMinorUpdatesDWORD (0x00000000) 23542300x800000000000000024477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:19.610{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:19.606{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC08EFBA72399BBCB6D8D3D1B993ED7E,SHA256=BB511A240F954DB71C8F68AFCF677D90B6A60D4CFC83CEF46F0BCA2AE904B383,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:19.969{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7BFF-6442-9C06-00000000DC02}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:19.969{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:19.969{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:19.969{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:19.969{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:19.969{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7BFF-6442-9C06-00000000DC02}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:19.969{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7BFF-6442-9C06-00000000DC02}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:19.970{AF4EC832-7BFF-6442-9C06-00000000DC02}6168C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000029251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:16.129{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51796-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000029250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:19.501{AF4EC832-7BFF-6442-9B06-00000000DC02}6276640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:19.299{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7BFF-6442-9B06-00000000DC02}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:19.299{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:19.299{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:19.299{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:19.299{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:19.299{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7BFF-6442-9B06-00000000DC02}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:19.299{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7BFF-6442-9B06-00000000DC02}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:19.300{AF4EC832-7BFF-6442-9B06-00000000DC02}6276C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:19.132{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B22F3BB9C6C43F7AAD1A01F83693025,SHA256=A6254C2BA13D674C8D5116909BEBA286F1993C035AC4F1D14730D61D9766CF32,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:18.860{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50563-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000024487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:20.773{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E334D771F90373D79F941A5A984500E7,SHA256=F0C0521C937D141EC6794ECAF5B5A028E09D9CC75F69F6D4BF4D25C9F548D746,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:20.889{AF4EC832-7C00-6442-9D06-00000000DC02}52724920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:20.654{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7C00-6442-9D06-00000000DC02}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:20.649{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:20.649{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:20.649{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:20.649{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:20.649{AF4EC832-6B60-6442-0500-00000000DC02}412428C:\Windows\system32\csrss.exe{AF4EC832-7C00-6442-9D06-00000000DC02}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:20.649{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7C00-6442-9D06-00000000DC02}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:20.650{AF4EC832-7C00-6442-9D06-00000000DC02}5272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:20.153{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FA2AF8CA7187D840575189F937CAFAE,SHA256=A6DC9BA138E14573F961821928070750FBF8E83CB54F1CE841A875DFFE827A0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:20.272{223CB5FF-7BEE-6442-6203-00000000DD02}69564552C:\Windows\system32\conhost.exe{223CB5FF-7C00-6442-6E03-00000000DD02}6336C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:20.272{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:20.272{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:20.272{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:20.272{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:20.272{223CB5FF-7189-6442-5701-00000000DD02}28642496C:\Windows\system32\csrss.exe{223CB5FF-7C00-6442-6E03-00000000DD02}6336C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:20.272{223CB5FF-7BEE-6442-6103-00000000DD02}62726276C:\Windows\system32\cmd.exe{223CB5FF-7C00-6442-6E03-00000000DD02}6336C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:20.275{223CB5FF-7C00-6442-6E03-00000000DD02}6336C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:05:20.257{223CB5FF-7BFE-6442-6D03-00000000DD02}4080C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdateDWORD (0x00000001) 23542300x800000000000000024499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:21.829{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86896507CF37CEF460D7D56F01393CB2,SHA256=398296511867F514820879CB8C77CC83CF985D218637D3D0B564E80754039E65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:21.285{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8A3D56A3A08D50AD2DB16E7CB17C47,SHA256=1B997398D221A7FE6508181B8DF0911F8A363ABBCE60BA37FC03189F0059CFA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:21.672{223CB5FF-7BEE-6442-6203-00000000DD02}69564552C:\Windows\system32\conhost.exe{223CB5FF-7C01-6442-6F03-00000000DD02}5500C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:21.672{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:21.672{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:21.672{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:21.672{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:21.672{223CB5FF-7189-6442-5701-00000000DD02}28642888C:\Windows\system32\csrss.exe{223CB5FF-7C01-6442-6F03-00000000DD02}5500C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:21.672{223CB5FF-7BEE-6442-6103-00000000DD02}62726276C:\Windows\system32\cmd.exe{223CB5FF-7C01-6442-6F03-00000000DD02}5500C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:21.681{223CB5FF-7C01-6442-6F03-00000000DD02}5500C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "UseWUServer" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:05:21.672{223CB5FF-7C00-6442-6E03-00000000DD02}6336C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoRebootWithLoggedOnUsersDWORD (0x00000001) 23542300x800000000000000024489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:21.330{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3C56FF47F2424354BA7BAE93312C4A4,SHA256=C6BEA2E89FD74A86408A0A47F456DCFDD093156731D0A63E81F94A4EE0310DE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:21.101{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07ABC1ED002BD3D6284664290D59F38A,SHA256=963F31561B07D9B58D00F8A8312D6B1AB33837614454EFD97C793B0230D1B636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:22.870{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8D4E907FF7EC8795735B5C1278D663A,SHA256=7EC66A59628587B83838F6FD5230009E863BFE9F0C93BE474BDBDC3FEE9736E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:22.317{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB1C5E0BE22422B6D38B91D9EA356A1,SHA256=ACCCE0E537ECE69AC42890F31043008B345FDFCC8E6A76E06D30892930F9924C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:23.927{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3712FEAECEA21B692D3898F52C471642,SHA256=0BCCD3366120D7736FF600124D26964A384E6C865D5C00819BBBC33765E22277,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:05:23.835{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\3CE3DF5F-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_3CE3DF5F-0000-0000-0000-100000000000.XML 13241300x800000000000000029277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:05:23.817{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D34FDAEF-E258-4A57-A230-22BB3A38D685\Config SourceDWORD (0x00000001) 13241300x800000000000000029276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:05:23.817{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\D34FDAEF-E258-4A57-A230-22BB3A38D685\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_D34FDAEF-E258-4A57-A230-22BB3A38D685.XML 10341000x800000000000000029275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:23.817{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:23.817{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:23.334{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03DE0B7CC353D2F5C27E3BEB255054BD,SHA256=9727650FF24B74D8637194CE68B9C86A80CA0DB5592BA1E9BFB2E5A12AFAF1B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:23.439{223CB5FF-7BEE-6442-6203-00000000DD02}69564552C:\Windows\system32\conhost.exe{223CB5FF-7C03-6442-7003-00000000DD02}3668C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:23.439{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:23.439{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:23.439{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:23.439{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:23.439{223CB5FF-7189-6442-5701-00000000DD02}28642888C:\Windows\system32\csrss.exe{223CB5FF-7C03-6442-7003-00000000DD02}3668C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:23.439{223CB5FF-7BEE-6442-6103-00000000DD02}62726276C:\Windows\system32\cmd.exe{223CB5FF-7C03-6442-7003-00000000DD02}3668C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:23.448{223CB5FF-7C03-6442-7003-00000000DD02}3668C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:05:23.439{223CB5FF-7C01-6442-6F03-00000000DD02}5500C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServerDWORD (0x00000001) 354300x800000000000000029283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:21.131{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51797-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000029282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:24.670{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:24.670{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:24.670{AF4EC832-6B60-6442-0B00-00000000DC02}6282268C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:24.435{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9AD9EE899F9C50A6BA74C0759BBE1C6,SHA256=0B7DF5B6C24A5AB76C49B2E923B9C2937B9E4810AFEB9A4D65135AA1B53152FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:25.569{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0AC488ECFA67A241D4E1AA5BCDBC156,SHA256=62EB1D5E5B2367FD029CCE09BD22F367DCA2036A0484B3AD1A5FBE53B78EABE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:25.501{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:25.501{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:25.501{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:25.537{223CB5FF-7BEE-6442-6203-00000000DD02}69564552C:\Windows\system32\conhost.exe{223CB5FF-7C05-6442-7103-00000000DD02}784C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:25.537{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:25.537{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:25.537{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:25.537{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:25.537{223CB5FF-7189-6442-5701-00000000DD02}28645488C:\Windows\system32\csrss.exe{223CB5FF-7C05-6442-7103-00000000DD02}784C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:25.537{223CB5FF-7BEE-6442-6103-00000000DD02}62726276C:\Windows\system32\cmd.exe{223CB5FF-7C05-6442-7103-00000000DD02}784C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:25.539{223CB5FF-7C05-6442-7103-00000000DD02}784C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "WUStatusServer" /t REG_SZ /d "server.wsus"C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:05:25.526{223CB5FF-7C03-6442-7003-00000000DD02}3668C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocationsDWORD (0x00000001) 354300x800000000000000024512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:21.458{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50564-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:25.102{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2031399553888DEE16CF4CD3790DDFEB,SHA256=93F9BE8F77247BE2FF4A5F15E5675C66A9E95339C1B146235C9F27FBD2662FE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:23.562{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51799-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000029291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:23.562{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51799-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000029290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:22.731{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51798-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000029289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:22.731{AF4EC832-6B71-6442-2300-00000000DC02}2468C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51798-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000029288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:26.585{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48B37B4C5B8DB16D0789470F33A0B99,SHA256=9CDB2781C9C6C17D1EEB0C3F5597945FD13A2BAC17CF496B4EDC8BD2CDA6410F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:26.983{223CB5FF-7BEE-6442-6203-00000000DD02}69564552C:\Windows\system32\conhost.exe{223CB5FF-7C06-6442-7203-00000000DD02}6544C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:26.967{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:26.967{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:26.967{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:26.967{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:26.967{223CB5FF-7189-6442-5701-00000000DD02}28645488C:\Windows\system32\csrss.exe{223CB5FF-7C06-6442-7203-00000000DD02}6544C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:26.967{223CB5FF-7BEE-6442-6103-00000000DD02}62726276C:\Windows\system32\cmd.exe{223CB5FF-7C06-6442-7203-00000000DD02}6544C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:26.980{223CB5FF-7C06-6442-7203-00000000DD02}6544C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "WUServer" /t REG_SZ /d "server.wsus"C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:05:26.967{223CB5FF-7C05-6442-7103-00000000DD02}784C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServerserver.wsus 23542300x800000000000000024523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:26.667{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC31A7F3639AC21FA4A158E760F8497F,SHA256=45AE4D96CDC6C60EBF965EF94A84A4D52A2D08E2884CA9C2E526D6076E2042BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:26.168{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=486A01652258E940C986F84307F0B54B,SHA256=E8D1947CC9CC4980FA96D6CEA74D14AE60573D1568ADFB2057140CAE8A9E410E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:27.784{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:27.633{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A57DFD9E24A095D001ADEEDF80D5FE,SHA256=C8DAE270E485194F8676A653A8AFC913411983C80BBEAF2F7B218E63964AA429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:27.204{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF831F076386CB94F14B259835949009,SHA256=C18F9853727C5E29EE52B38348644E996C68D34B1F8BCCC94478D270671C226D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:28.748{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A7A37C4F8240A6AF62FA9D1B9EDFF04,SHA256=B8C96BD7CB029D2FE283912691AD09FFC52CA2641F15801C4D1D623D164B1840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:28.324{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08B29F5F6F78339AF4F5CB81F8A44517,SHA256=66E53A70B2436546366654AFE3C5E00901AA690FFE2B9358C874B0071815DE29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:28.282{223CB5FF-7BEE-6442-6203-00000000DD02}69564552C:\Windows\system32\conhost.exe{223CB5FF-7C08-6442-7303-00000000DD02}7044C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:28.282{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:28.282{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:28.282{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:28.282{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:28.282{223CB5FF-7189-6442-5701-00000000DD02}28645488C:\Windows\system32\csrss.exe{223CB5FF-7C08-6442-7303-00000000DD02}7044C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:28.282{223CB5FF-7BEE-6442-6103-00000000DD02}62726276C:\Windows\system32\cmd.exe{223CB5FF-7C08-6442-7303-00000000DD02}7044C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:28.285{223CB5FF-7C08-6442-7303-00000000DD02}7044C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "UpdateServiceUrlAlternate" /t REG_SZ /d "server.wsus"C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7BEE-6442-6103-00000000DD02}6272C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 23542300x800000000000000024535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:28.282{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1CDC0682F89F0A0C3057DF9FDD30C127,SHA256=BEE42A565295A64CF668A68FFAB34982DC2294ADD2978459AF74F0EFE4D6CF64,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000024534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:05:28.266{223CB5FF-7C06-6442-7203-00000000DD02}6544C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServerserver.wsus 354300x800000000000000029308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:26.191{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51801-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000029307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:25.829{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51800-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000029306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:29.883{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA975CDBCA394D81D9BCC5BC41FEB2E,SHA256=D5623E4575F1B55A5DAF59E843CBECCFE0964CA61E3AA01652F5CCD83E7FF1C0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:05:29.847{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000029304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:05:29.847{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00411e78) 13241300x800000000000000029303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:05:29.847{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d97441-0x2e7dc043) 13241300x800000000000000029302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:05:29.847{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d97449-0x90422843) 13241300x800000000000000029301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:05:29.847{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d97451-0xf2069043) 13241300x800000000000000029300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:05:29.847{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000029299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:05:29.847{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00411e78) 13241300x800000000000000029298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:05:29.847{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d97441-0x2e7dc043) 13241300x800000000000000029297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:05:29.847{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d97449-0x90422843) 13241300x800000000000000029296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-SetValue2023-04-21 12:05:29.847{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d97451-0xf2069043) 13241300x800000000000000024546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:05:29.634{223CB5FF-7C08-6442-7303-00000000DD02}7044C:\Windows\system32\reg.exeHKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\UpdateServiceUrlAlternateserver.wsus 23542300x800000000000000024545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:29.365{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E40CA5921E3E85085A1196B9DF539D,SHA256=C8EAD024BBBECD9527C7D60D495B8B0B2C7167D9ABFAFC84CC32D763B21DD933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:30.499{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6CE5CF61F6085B1D68F994D2508AA1F,SHA256=FB73D489D7D01CFF550ECF83B3D026DE3B9E0B37FA71934ED7BC29014A7D74DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:30.914{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD3361959B59E78052B7CFC0602F4C08,SHA256=CD68E331CF589DE42CFAB53E5D05D14160A53672895DB9B25347A5922AECEE83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:30.383{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=76E75B273BE6F5FB975F54693BE43F34,SHA256=95CABA8A8477D1A12A20D9BCBC4A27F1C5AF85BB0F068A03737A23884E45127A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:30.132{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-068MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:27.353{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50565-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:31.565{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31EA6303DAE1E415124559B19A641C19,SHA256=0B8BB41B5A5E16AE293B33BCAB94221D9F9C0EF7EB442FF2AFBCC275682D71C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:31.931{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8EF6FE991A89D4AF0EAED5581DE08ED,SHA256=9C0A45462E7F89DED196E4F5418289CC4272196383973901E9C44A69EADE66CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:31.148{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-069MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:32.697{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA6E59F7D21A366C5CF927E104135EC8,SHA256=4BCF0AEBE5FAF7B7AC645AC7E106B33D4C4A2C6556809154E6600614536B50E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:32.950{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84AD54B4E3A45F1FF28C4D58C13041DD,SHA256=0C98C6F0E8D1754E8E1E5D49A72B0992FAE361DC403146A82A1FEDF9E068F1F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:32.251{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B5D-6442-0100-00000000DC02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\kerberos.DLL+97952|C:\Windows\system32\kerberos.DLL+79c68|C:\Windows\system32\kerberos.DLL+1458f|C:\Windows\system32\lsasrv.dll+2fb61|C:\Windows\system32\lsasrv.dll+2da46|C:\Windows\system32\lsasrv.dll+332d9|C:\Windows\system32\lsasrv.dll+30c27|C:\Windows\system32\lsasrv.dll+2fb61|C:\Windows\system32\lsasrv.dll+17bcd|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000029315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:32.131{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:32.131{AF4EC832-6B60-6442-0B00-00000000DC02}628668C:\Windows\system32\lsass.exe{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\system32\lsasrv.dll+789bc|C:\Windows\system32\lsasrv.dll+e7d64|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000024551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:33.847{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42653C695DF5010A8A63C313CB33B878,SHA256=CB74D780385965DAD7360A10EF72BFAED36B28A406C717D552DC508EB3DF591C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:30.311{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51804-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local445microsoft-ds 354300x800000000000000029323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:30.311{AF4EC832-6B5D-6442-0100-00000000DC02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51804-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local445microsoft-ds 354300x800000000000000029322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:30.202{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51803-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000029321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:30.202{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51803-false10.0.1.14win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000029320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:30.194{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51802-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000029319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:30.194{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local51802-truefe80:0:0:0:6cf3:343a:250b:d242win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000029318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:33.213{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7FE0B261F154C92A01E7ACBA0F6B1E5,SHA256=4322CD77343F0B962BED1D233285577B2159C2E643BD34648E9C32E4DCAE2425,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:34.878{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94280FF95699EEF5B62EBE169158C856,SHA256=BA455D267E6E4D1D52DEFCA1F5864835EEC27DA45E41A00E785A9F42F65F2D54,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:32.371{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50566-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x800000000000000029326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:31.207{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51805-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:34.066{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD12942D3F9CE508438EC6CBDEC5C403,SHA256=BD3D9166FA63916C6E5AF6C8E888DC05BB321BE8939308B03A2980EB43F6269A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:35.920{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E0DB0385ABB0A6C219A39F5258D5DB3,SHA256=BD0C1B8FD5B46C2ABD5F163BC42F79FF83169C2E4AA918DFEF5F34E43E487291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:35.181{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A6BE9A7FDC9554BFB9B2EEF4B937EC3,SHA256=C78B7737BB56827EAF8B5BBD904C7657CC69A4D9AF11378658C359B392D911B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:36.961{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C53B400618E6458CAFB1999C146558A,SHA256=29399B651E78A1031C7AA30C136F6B3F4533CA34C85D065832ED4FDDFB44FE1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:36.312{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF0A3517A3E62E6F75F1B76371C3C303,SHA256=A05EB2177B956E32C25D8E0C37FD3D9FCD0192DFB5CD2A7890F4EC17D712ABE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:37.381{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C26825E002801DE05B05E3ABA710BD,SHA256=6B1A713D9F3BB9D4DE5063D544B2390D184EFF7D23DE0485EAF08DB869BBA1BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:37.345{AF4EC832-6B63-6442-0D00-00000000DC02}8964028C:\Windows\system32\svchost.exe{AF4EC832-76C4-6442-F805-00000000DC02}5980C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:38.411{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0559B55B532BC6B11F1115B4FDFEC9B9,SHA256=13354EEDCD4585066710598D01B7700858E649FBBD2C1AB85A098EA7981CAD59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:38.117{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CC048B8617DE2370B852C41B3CAD97B,SHA256=13FD1A6E9F2F9FCAA5946874B0E25E0443BE2F492BA1BA1EB334DD1064CB3307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:39.529{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0240A901194C186D3601BD1D59C78B9,SHA256=B216701419CF079F6FC5334380AE3455B99B7E3C5C297324F73B392FB8C36E31,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:37.462{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50567-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:39.229{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\respondent-20230421110509-058MD5=EE7CA4D56F38D62CCF0D7A12A5B7808D,SHA256=0572C912F12774856AC5683B533347D5C54F8BAC736BE01666CB5089D9031AF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:39.191{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9612E239F2D668B7A27EF30064A2B000,SHA256=A5D2DEB5F3431F9643DF37C0E14B73093F4D0B5F232F2AC0B39D2E5588E21871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:40.644{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05A0D234BED9AF792994A8749B63708,SHA256=2FF6D9CCF1AEEE2BAC7B0688BD7B734D27E71BD673FF2841984D3166282E8CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:40.301{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718EB2115924C881F12A6D8CE33CB965,SHA256=76DAD13F6B1AE9BA2C6B4E6E5978199F2BDDC141E357C2C0B2C0CA8DEFCE8016,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:40.243{223CB5FF-6DE3-6442-1900-00000000DD02}1868NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-048192e2939f26dbd\channels\health\surveyor-20230421110507-059MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:41.794{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E97D75B5259610CC38074CACDDC7D2,SHA256=F92F385CCA1B61C9BC9B2299C993EE5BA5D7B65B5932670DC5AF7265F84B95D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:41.327{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6780C7A8CE3E30603E8EFDDCA637B7F5,SHA256=34E1B01D73585EED19F08ECCE2CFF5297CE35E220743033809145EC2048DEDA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:37.209{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51806-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:42.878{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A4AEF9F79A340C45E3C9107603E0CFE,SHA256=A4C4A76A1670218F935703A14FCF96EC6D5593EB6A681BBC28419F0C56DAF403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:42.390{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A82BFFA7A460CAE9B5FBA21A3943210A,SHA256=4F6379FF9DE81A23806F99E1B1FACDA2A710BA0D9D42C0499E67AB8304EC4779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:43.978{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3514B1619C0C82A92026DAECF1319E,SHA256=4AA34095B5790E7C96368071BFCDD17FC23F47578DCE3586EA8CF3AB64A77764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:43.514{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DFCFBCE58AE2324DD0AA6413F484353,SHA256=631683CA8142081B62530532A516BC5CBE535AD54E4BB332C9C1562B74C023D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:44.589{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00317D4213D302D0BECF0669C37A71E7,SHA256=E4A98FDDB4822766084D1F8B309216D11FF6955B400DBC5EA6496726FD32452E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:44.127{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E9D3212080BC3F81BBBC5F7A3033BFA,SHA256=4EDC46DBD96C4FB0361B124C166D6BA8736786D1B58E346DDAF01C6F2E7F391B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:45.643{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83131C6524525C766362B400D18682CF,SHA256=252CBEEDA662C02799850E881F86EBF2F2FC1E3264B4B9AA7643F8060904CE83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:45.103{223CB5FF-718D-6442-6A01-00000000DD02}35964380C:\Windows\Explorer.EXE{223CB5FF-772D-6442-9602-00000000DD02}7160C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0815|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:45.103{223CB5FF-718D-6442-6A01-00000000DD02}35964380C:\Windows\Explorer.EXE{223CB5FF-772D-6442-9602-00000000DD02}7160C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e072e|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:45.103{223CB5FF-718D-6442-6A01-00000000DD02}35964380C:\Windows\Explorer.EXE{223CB5FF-772D-6442-9602-00000000DD02}7160C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e06f7|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:45.073{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-772D-6442-9602-00000000DD02}7160C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0ea0|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:45.073{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-772D-6442-9602-00000000DD02}7160C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+bb490|C:\Windows\System32\SHELL32.dll+e0e5c|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:45.073{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-772D-6442-9602-00000000DD02}7160C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e0e30|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:45.073{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-772D-6442-9602-00000000DD02}7160C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12c9d9|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:45.211{AF4EC832-6B63-6442-0D00-00000000DC02}8964028C:\Windows\system32\svchost.exe{AF4EC832-76C4-6442-F805-00000000DC02}5980C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:45.095{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5AAE01C961BB9121786A67F89016E26,SHA256=AEDBEC8730AB82AA95275B577CD48FD6883A760960FA7314513E71509AAD8A7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:46.677{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D11FB8CC625B065C0B821D92CAFFAAD2,SHA256=A7BC41FB3506F944B15130B6CDD8B1BD7B96A112482522601B43352E26338D4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:42.303{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51807-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:46.211{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66774D00C531AD73A2CA79251D170413,SHA256=C99926BA1C86E8B4539D037015D6A5A0A5A210983298CC74B9C41FB13EBD80A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:43.441{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50568-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:47.797{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D944561C286D049D8512E19B86EF4235,SHA256=6DE9662600BBE88D7ED81DF29B77FB05CC8148200481C2D4D5130AD7E13333D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:47.279{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4646F994BA92E26A361A7ED7BA68F4B0,SHA256=464D4929EF75FC385AFCEE0DF78A9CFD979742649F7B0B8F8BE8182D6A0F2589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:47.263{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C83F485C2D0B7BC4B4106A1BC8888F34,SHA256=FD48A928BE4D56C1CD4E5F44EE6F744B55459BF930328A36D968EDA06FC73A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:48.883{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0915997F47C3AE17DC6ECEB0C30F4136,SHA256=C87676DC5F6AB24AFE2CCD4D5325C32C6F6FCBBB70AE71A8ED7E8B5491F9828D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:48.379{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A9143CCE118E20E1B5A8742C8D2AEA,SHA256=6683E421E0932C7FE4E178E8E619F8CD8196AF29281C2FD405F1D4FBBBBA34F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:49.495{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5604601B5DB52F29C59A230D20EAE77E,SHA256=16C1721CC15852EB5336BC9200CB06E7F86C6C42F7B5D65A3DF692DCFC69F956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:50.578{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE1A48E4E0DAB837DEACB811FC90EA55,SHA256=0ED4B91B4229410C1C60C0F1A65EA958020F637E3BB183620221C864E7309C57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:50.003{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9023329C90B4A2587EF78155B3CAF7EE,SHA256=9E34AF6A222F11D2C4B19204CE4FB739F1512579A42C0DE601249A92B4D08173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:51.694{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73D148EDF0252E53510E6B156AC3660,SHA256=25EBD2BE268F18818B8F0E20316D110717EAAB83B7EBC81569C5E72CC15397E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:49.325{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50569-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:51.059{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B84BED37C11AA3647C47FF97B5BBF4,SHA256=26DB9E220F82E2B24E560DF8C3E6F3289267160CDEBC841956165D91D96B2D14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:52.811{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022D5BEF58FD937B1AD41E1B43815365,SHA256=EAF023346192FF817D75C8AF1D4211CD523FA3CBFE03BFF7F06A0C5A1C732392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:52.178{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F5A0FBFE3B6BE5AD29F289B136D9F2,SHA256=3A1AF1EBF99CE2FF17B947AB02FD44EAAFADA690BF1F48148884ECD14EEB2FA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:48.153{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51808-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:53.912{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83FBB14668C86091F2C2D692483703C1,SHA256=37D91926FF13710DEF4CC4890F37556A3218D1DDD67AFD199274956C09AF20B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:53.196{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02AECC29A8A7F6347E3AE2ECF44E0A17,SHA256=11E82116FD65D65E43E5EA559CC51E26E604977511204374D25F20208A51272D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:54.341{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B214D0971CAFC163A83A7AD4463D660,SHA256=A74319048A5B3CB2EE00435999DFE187849A7890180C03FE0777F8ABDF8C5872,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:55.385{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50568A13AB7827843B43D07616EB777,SHA256=5A8A7B6A01F0B194D07952D6CA06DE1B16B84DB1EC78D0053B41F57757E11DC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:55.045{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A86BA3EBA4751954E122A931D87D08A,SHA256=A98D6BEF9E59F9D3B275D999E9A685DCD2C6E78D7315458EB12408ECD3FB3B1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:56.503{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78628C530A879E726943D6719E03F022,SHA256=AB8C81243301EDD6A92985DE7372DC44259E945D88EE642C952DE0127B566E80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:56.446{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7C24-6442-7403-00000000DD02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:56.446{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:56.446{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:56.446{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:56.446{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:56.446{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7C24-6442-7403-00000000DD02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:56.446{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7C24-6442-7403-00000000DD02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:56.447{223CB5FF-7C24-6442-7403-00000000DD02}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000029354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:53.324{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51809-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:56.146{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D91553C5AE30433D8FD634B9A49521C,SHA256=D5D10D968F423EE0E71BD2F3F98B63C6B7E145FB1E949FB40C81F0D42DA9A37B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:57.950{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7C25-6442-7603-00000000DD02}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:57.950{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:57.950{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:57.950{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:57.950{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:57.950{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7C25-6442-7603-00000000DD02}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:57.950{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7C25-6442-7603-00000000DD02}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:57.952{223CB5FF-7C25-6442-7603-00000000DD02}2944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000024609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:54.339{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50570-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000024608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:57.657{223CB5FF-718D-6442-6A01-00000000DD02}35962788C:\Windows\Explorer.EXE{223CB5FF-772D-6442-9602-00000000DD02}7160C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0815|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:57.657{223CB5FF-718D-6442-6A01-00000000DD02}35962788C:\Windows\Explorer.EXE{223CB5FF-772D-6442-9602-00000000DD02}7160C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e072e|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:57.657{223CB5FF-718D-6442-6A01-00000000DD02}35962788C:\Windows\Explorer.EXE{223CB5FF-772D-6442-9602-00000000DD02}7160C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e06f7|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000024605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:57.474{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=889264086F891A71DE3441E3F8F8F02A,SHA256=6602EED2CB333DBB5970BAB6A3EDD5B569259206FFE095ABBAAE9D16736126B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:57.474{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D0C6241E94FD9051D75209C79A24E771,SHA256=107B5DA6DBFF371CF2BF9476DD8426DABC10E509196787E0BEC1A22858BB0CD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:57.474{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=956B12BB5D4CF547110ADE107BFFD78A,SHA256=38607AC75B0CFC713C105A7CC7134329105015F21341304EF3A1307FEE45FE45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:57.459{223CB5FF-7C25-6442-7503-00000000DD02}59126536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:57.231{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A299326A0E2B39FA4F8A660D7821B079,SHA256=EF969A8A61CE76A9A603D49C25DC74C333BD1B07B51B466560558E891D66EB85,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:57.305{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7C25-6442-7503-00000000DD02}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:57.305{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:57.305{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:57.305{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:57.305{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:57.305{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7C25-6442-7503-00000000DD02}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:57.305{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7C25-6442-7503-00000000DD02}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:57.306{223CB5FF-7C25-6442-7503-00000000DD02}5912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000024629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:58.819{223CB5FF-772D-6442-9602-00000000DD02}7160C:\Program Files\Notepad++\notepad++.exeC:\Temp\simulate_dummy_reg.bat2023-04-21 11:44:34.413 23542300x800000000000000024628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:58.818{223CB5FF-772D-6442-9602-00000000DD02}7160WIN-HOST-CTUS-A\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\simulate_dummy_reg.batMD5=1285DCAA170839F294A2E773C4769103,SHA256=7B77BC1145884989BF33913C44122DA07F23A712B0663F95A8904EFF86979CCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:58.728{223CB5FF-7C26-6442-7703-00000000DD02}44324392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:58.562{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7C26-6442-7703-00000000DD02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:58.552{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:58.552{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:58.552{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:58.552{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:58.552{223CB5FF-6DE1-6442-0500-00000000DD02}420436C:\Windows\system32\csrss.exe{223CB5FF-7C26-6442-7703-00000000DD02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:58.552{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7C26-6442-7703-00000000DD02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:58.555{223CB5FF-7C26-6442-7703-00000000DD02}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:58.508{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA6CD07A906EA1E9CD0E4A0BCE2FF14,SHA256=B16BCEB64F9025744773A99B24943F0CE8F2853D366485FF3D323A718246EF0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:58.250{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02F3A22BD38DD0CFA6654CA929E1B825,SHA256=11BA9715F0B2B88A4CDA43C079C9577C0A06D4ADAD6EEA4B748D6A4B5BA7B6AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:59.579{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B206F6086C32D5E12428083B6BFDF15,SHA256=78C3C9D805BBD24A5DC2053830297ECB4447D7543E84DC2100F4D18183B9196F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:59.682{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1AC95BB9659B5A44438653F12F39FBC,SHA256=262DECC8A43AF50F94264356CD4909FED44BA892A49E5018D1924C070848B0D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:59.330{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C799AF8350E62423F2DC1205144008,SHA256=40F9CD3FB210634BE017452FBE3A2BF053462C6EC66CF31186F42CF7BD0754CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:59.337{223CB5FF-7C27-6442-7803-00000000DD02}52647052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:59.169{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7C27-6442-7803-00000000DD02}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:59.167{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:59.167{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:59.166{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:59.166{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:59.166{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7C27-6442-7803-00000000DD02}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:59.166{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7C27-6442-7803-00000000DD02}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:59.166{223CB5FF-7C27-6442-7803-00000000DD02}5264C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:00.976{223CB5FF-7C28-6442-7903-00000000DD02}5628600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:00.781{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7C28-6442-7903-00000000DD02}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:00.781{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:00.781{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:00.781{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:00.781{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:00.781{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7C28-6442-7903-00000000DD02}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:00.781{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7C28-6442-7903-00000000DD02}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:00.782{223CB5FF-7C28-6442-7903-00000000DD02}5628C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000024647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:00.706{223CB5FF-718D-6442-6A01-00000000DD02}35962788C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0815|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:00.706{223CB5FF-718D-6442-6A01-00000000DD02}35962788C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e072e|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:00.706{223CB5FF-718D-6442-6A01-00000000DD02}35962788C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e06f7|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:00.697{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0ea0|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:00.697{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+bb490|C:\Windows\System32\SHELL32.dll+e0e5c|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:00.697{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e0e30|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:00.697{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12c9d9|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000024640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:00.612{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0BB3C7961FA5A58B35DE8056CC433D,SHA256=B17A327DA0E3674B54B071C0AE06239FF54BD0045C98F9CBCBC198D546630D97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:56.655{AF4EC832-6B60-6442-0B00-00000000DC02}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51810-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 354300x800000000000000029360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:56.655{AF4EC832-6B71-6442-2000-00000000DC02}2440C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local51810-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-616.attackrange.local389ldap 23542300x800000000000000029359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:00.431{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F5DCE62B926FE15488BB54541086B3,SHA256=1BBC8D9237EC194E2EC08EFD46E372A0025F3A6C94B96CD9365A9E66BBDDF008,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:05:59.508{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50571-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:01.698{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4047C8DB09BCD2370709C315E9AC804F,SHA256=2A822D5F2DA5984AD585F1D6D65A20E30549CFC61F807CE7C932314C45DBBD8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:01.480{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D685FEC888A67AF3CAF960BF5F86F2B,SHA256=61C199EDDF91AFB3825EFD244EC9DCAC310DE8E8087DC08B702195E43BDEE444,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:01.456{223CB5FF-6E46-6442-9E00-00000000DD02}31202300C:\Windows\system32\conhost.exe{223CB5FF-7C29-6442-7A03-00000000DD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:01.456{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:01.456{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:01.456{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:01.456{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:01.456{223CB5FF-6DE1-6442-0500-00000000DD02}4201504C:\Windows\system32\csrss.exe{223CB5FF-7C29-6442-7A03-00000000DD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:01.456{223CB5FF-6E46-6442-9A00-00000000DD02}8763604C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{223CB5FF-7C29-6442-7A03-00000000DD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:01.457{223CB5FF-7C29-6442-7A03-00000000DD02}5864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{223CB5FF-6DE1-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:02.736{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD86D100F3E03634416ECDCE2D8855D,SHA256=4C3B7275182E524D2A096B0895B15BDC59375FE5033F6A226109CCC978DB9BF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:02.580{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB2952F79B89F5992A28466484B44ECA,SHA256=DFFB924C8C0B9EBAA689D1A7CA1EBE385EBFBDC2B3EDB3170A25F40B91BE6B57,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:05:59.204{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51811-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:03.762{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E6764EA6B47C81C0250895B8FCB5350,SHA256=DE160C36B4519B72F8B316E4A5AD64CCD16138136FEB210F137BA195D7B730F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:03.611{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=272688A35A1D57B536BA03530AA8757F,SHA256=6CBC5375865A0109C315372A9C82E2E372A1E6663DDA90100B209B77C31DBA40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:04.921{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7D4FF8EE1C72841BEFCE0D66DF1E45,SHA256=78662BDF92B54FADC77D40172941B6053216CA6A8EAE12A20CDE5161C4C8DC0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:04.729{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A598A2979D7DA282DD61A62DDD752EA3,SHA256=F0EF61A747305F5AF715A84513B3045458B322CEB280EB9BAC762820169663FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:05.846{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD1E4AD54EA0952EC9E2A2A02EEE7E3,SHA256=0E6E2F865CBB19654C1ED98C3AECE7AB81060D078D6FA0E6373EDB373CE8EFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:05.970{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5619D93AECD1D3494A44C79863D96590,SHA256=4403B82E4EC092B4DCBF161B183241C22CD92B9F39ED7A5CC9527C6C1A5F9A67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:06.966{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D34AC6DF67FE3398EB20CB11B1A2C55,SHA256=43DA8CC6F1B60DDE54A7EC922050630B0D309C9C03B58B4FBF267B6788C8C24A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.724{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A05CBFC5D82E8861CFC578E9F9D06625,SHA256=04A8CFB8919D0BB6FFCC4678403C165E2CB1F140623BAC0C34E9AF5583BB57DE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000024851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:06:06.683{223CB5FF-7C2E-6442-8D03-00000000DD02}6904C:\Windows\system32\reg.exeHKU\S-1-5-21-2249407279-2659954650-342429190-500\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\UpdateServiceUrlAlternateserver.wsus 10341000x800000000000000024850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.683{223CB5FF-7C2E-6442-7C03-00000000DD02}22125668C:\Windows\system32\conhost.exe{223CB5FF-7C2E-6442-8D03-00000000DD02}6904C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.671{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.671{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.671{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.671{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.671{223CB5FF-7189-6442-5701-00000000DD02}286496C:\Windows\system32\csrss.exe{223CB5FF-7C2E-6442-8D03-00000000DD02}6904C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.671{223CB5FF-7C2E-6442-7B03-00000000DD02}66486540C:\Windows\system32\cmd.exe{223CB5FF-7C2E-6442-8D03-00000000DD02}6904C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.678{223CB5FF-7C2E-6442-8D03-00000000DD02}6904C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "UpdateServiceUrlAlternate" /t REG_SZ /d "server.wsus"C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:06:06.655{223CB5FF-7C2E-6442-8C03-00000000DD02}224C:\Windows\system32\reg.exeHKU\S-1-5-21-2249407279-2659954650-342429190-500\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUServerserver.wsus 10341000x800000000000000024841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.655{223CB5FF-7C2E-6442-7C03-00000000DD02}22125668C:\Windows\system32\conhost.exe{223CB5FF-7C2E-6442-8C03-00000000DD02}224C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.655{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.655{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.655{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.655{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.655{223CB5FF-7189-6442-5701-00000000DD02}28642496C:\Windows\system32\csrss.exe{223CB5FF-7C2E-6442-8C03-00000000DD02}224C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.655{223CB5FF-7C2E-6442-7B03-00000000DD02}66486540C:\Windows\system32\cmd.exe{223CB5FF-7C2E-6442-8C03-00000000DD02}224C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.655{223CB5FF-7C2E-6442-8C03-00000000DD02}224C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "WUServer" /t REG_SZ /d "server.wsus"C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:06:06.627{223CB5FF-7C2E-6442-8B03-00000000DD02}344C:\Windows\system32\reg.exeHKU\S-1-5-21-2249407279-2659954650-342429190-500\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\WUStatusServerserver.wsus 10341000x800000000000000024832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.627{223CB5FF-7C2E-6442-7C03-00000000DD02}22125668C:\Windows\system32\conhost.exe{223CB5FF-7C2E-6442-8B03-00000000DD02}344C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.627{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.627{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.627{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.627{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.627{223CB5FF-7189-6442-5701-00000000DD02}28642496C:\Windows\system32\csrss.exe{223CB5FF-7C2E-6442-8B03-00000000DD02}344C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.627{223CB5FF-7C2E-6442-7B03-00000000DD02}66486540C:\Windows\system32\cmd.exe{223CB5FF-7C2E-6442-8B03-00000000DD02}344C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.633{223CB5FF-7C2E-6442-8B03-00000000DD02}344C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "WUStatusServer" /t REG_SZ /d "server.wsus"C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:06:06.612{223CB5FF-7C2E-6442-8A03-00000000DD02}6436C:\Windows\system32\reg.exeHKU\S-1-5-21-2249407279-2659954650-342429190-500\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocationsDWORD (0x00000001) 10341000x800000000000000024823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.612{223CB5FF-7C2E-6442-7C03-00000000DD02}22125668C:\Windows\system32\conhost.exe{223CB5FF-7C2E-6442-8A03-00000000DD02}6436C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.612{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.612{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.612{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.612{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.612{223CB5FF-7189-6442-5701-00000000DD02}286496C:\Windows\system32\csrss.exe{223CB5FF-7C2E-6442-8A03-00000000DD02}6436C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.612{223CB5FF-7C2E-6442-7B03-00000000DD02}66486540C:\Windows\system32\cmd.exe{223CB5FF-7C2E-6442-8A03-00000000DD02}6436C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.617{223CB5FF-7C2E-6442-8A03-00000000DD02}6436C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnectToWindowsUpdateInternetLocations" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:06:06.596{223CB5FF-7C2E-6442-8903-00000000DD02}6328C:\Windows\system32\reg.exeHKU\S-1-5-21-2249407279-2659954650-342429190-500\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServerDWORD (0x00000001) 10341000x800000000000000024814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.596{223CB5FF-7C2E-6442-7C03-00000000DD02}22125668C:\Windows\system32\conhost.exe{223CB5FF-7C2E-6442-8903-00000000DD02}6328C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.596{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.596{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.596{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.596{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.596{223CB5FF-7189-6442-5701-00000000DD02}286496C:\Windows\system32\csrss.exe{223CB5FF-7C2E-6442-8903-00000000DD02}6328C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.596{223CB5FF-7C2E-6442-7B03-00000000DD02}66486540C:\Windows\system32\cmd.exe{223CB5FF-7C2E-6442-8903-00000000DD02}6328C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.603{223CB5FF-7C2E-6442-8903-00000000DD02}6328C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "UseWUServer" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:06:06.596{223CB5FF-7C2E-6442-8803-00000000DD02}4676C:\Windows\system32\reg.exeHKU\S-1-5-21-2249407279-2659954650-342429190-500\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoRebootWithLoggedOnUsersDWORD (0x00000001) 23542300x800000000000000024805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.596{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3DD4EDA3EA5B669143D6634AB4741E,SHA256=BBF4466F6A04182B0582BC251DE4CAA849067746DA793860907D5381C2F58C94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.581{223CB5FF-7C2E-6442-7C03-00000000DD02}22125668C:\Windows\system32\conhost.exe{223CB5FF-7C2E-6442-8803-00000000DD02}4676C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.581{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.581{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.581{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.581{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.581{223CB5FF-7189-6442-5701-00000000DD02}28642496C:\Windows\system32\csrss.exe{223CB5FF-7C2E-6442-8803-00000000DD02}4676C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.581{223CB5FF-7C2E-6442-7B03-00000000DD02}66486540C:\Windows\system32\cmd.exe{223CB5FF-7C2E-6442-8803-00000000DD02}4676C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.590{223CB5FF-7C2E-6442-8803-00000000DD02}4676C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRebootWithLoggedOnUsers" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:06:06.581{223CB5FF-7C2E-6442-8703-00000000DD02}3772C:\Windows\system32\reg.exeHKU\S-1-5-21-2249407279-2659954650-342429190-500\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdateDWORD (0x00000001) 10341000x800000000000000024795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.581{223CB5FF-7C2E-6442-7C03-00000000DD02}22125668C:\Windows\system32\conhost.exe{223CB5FF-7C2E-6442-8703-00000000DD02}3772C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.555{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.555{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.555{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.555{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.555{223CB5FF-7189-6442-5701-00000000DD02}28642888C:\Windows\system32\csrss.exe{223CB5FF-7C2E-6442-8703-00000000DD02}3772C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.555{223CB5FF-7C2E-6442-7B03-00000000DD02}66486540C:\Windows\system32\cmd.exe{223CB5FF-7C2E-6442-8703-00000000DD02}3772C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.561{223CB5FF-7C2E-6442-8703-00000000DD02}3772C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUpdate" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:06:06.553{223CB5FF-7C2E-6442-8603-00000000DD02}5236C:\Windows\system32\reg.exeHKU\S-1-5-21-2249407279-2659954650-342429190-500\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\AutoInstallMinorUpdatesDWORD (0x00000000) 10341000x800000000000000024786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.548{223CB5FF-7C2E-6442-7C03-00000000DD02}22125668C:\Windows\system32\conhost.exe{223CB5FF-7C2E-6442-8603-00000000DD02}5236C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.528{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.528{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.528{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.528{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.528{223CB5FF-7189-6442-5701-00000000DD02}286496C:\Windows\system32\csrss.exe{223CB5FF-7C2E-6442-8603-00000000DD02}5236C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.528{223CB5FF-7C2E-6442-7B03-00000000DD02}66486540C:\Windows\system32\cmd.exe{223CB5FF-7C2E-6442-8603-00000000DD02}5236C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.541{223CB5FF-7C2E-6442-8603-00000000DD02}5236C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AutoInstallMinorUpdates" /t REG_DWORD /d 0C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:06:06.512{223CB5FF-7C2E-6442-8503-00000000DD02}6308C:\Windows\system32\reg.exeHKU\S-1-5-21-2249407279-2659954650-342429190-500\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptionsDWORD (0x00000002) 10341000x800000000000000024777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.512{223CB5FF-7C2E-6442-7C03-00000000DD02}22125668C:\Windows\system32\conhost.exe{223CB5FF-7C2E-6442-8503-00000000DD02}6308C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.512{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.512{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.512{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.512{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.512{223CB5FF-7189-6442-5701-00000000DD02}28642496C:\Windows\system32\csrss.exe{223CB5FF-7C2E-6442-8503-00000000DD02}6308C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.512{223CB5FF-7C2E-6442-7B03-00000000DD02}66486540C:\Windows\system32\cmd.exe{223CB5FF-7C2E-6442-8503-00000000DD02}6308C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.519{223CB5FF-7C2E-6442-8503-00000000DD02}6308C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOptions" /t REG_DWORD /d 2C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:06:06.512{223CB5FF-7C2E-6442-8403-00000000DD02}6892C:\Windows\system32\reg.exeHKU\S-1-5-21-2249407279-2659954650-342429190-500\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications\DisableNotificationsDWORD (0x00000001) 10341000x800000000000000024768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.496{223CB5FF-7C2E-6442-7C03-00000000DD02}22125668C:\Windows\system32\conhost.exe{223CB5FF-7C2E-6442-8403-00000000DD02}6892C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.481{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.481{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.481{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.481{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.481{223CB5FF-7189-6442-5701-00000000DD02}28642888C:\Windows\system32\csrss.exe{223CB5FF-7C2E-6442-8403-00000000DD02}6892C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.481{223CB5FF-7C2E-6442-7B03-00000000DD02}66486540C:\Windows\system32\cmd.exe{223CB5FF-7C2E-6442-8403-00000000DD02}6892C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.491{223CB5FF-7C2E-6442-8403-00000000DD02}6892C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:06:06.481{223CB5FF-7C2E-6442-8303-00000000DD02}2508C:\Windows\system32\reg.exeHKU\S-1-5-21-2249407279-2659954650-342429190-500\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnableDWORD (0x00000001) 10341000x800000000000000024759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.455{223CB5FF-7C2E-6442-7C03-00000000DD02}22125668C:\Windows\system32\conhost.exe{223CB5FF-7C2E-6442-8303-00000000DD02}2508C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.455{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.455{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.455{223CB5FF-7189-6442-5701-00000000DD02}286496C:\Windows\system32\csrss.exe{223CB5FF-7C2E-6442-8303-00000000DD02}2508C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.455{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.455{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.455{223CB5FF-7C2E-6442-7B03-00000000DD02}66486540C:\Windows\system32\cmd.exe{223CB5FF-7C2E-6442-8303-00000000DD02}2508C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.464{223CB5FF-7C2E-6442-8303-00000000DD02}2508C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:06:06.448{223CB5FF-7C2E-6442-8203-00000000DD02}6944C:\Windows\system32\reg.exeHKU\S-1-5-21-2249407279-2659954650-342429190-500\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoringDWORD (0x00000001) 10341000x800000000000000024750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.428{223CB5FF-7C2E-6442-7C03-00000000DD02}22125668C:\Windows\system32\conhost.exe{223CB5FF-7C2E-6442-8203-00000000DD02}6944C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.428{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.428{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.428{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.428{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.428{223CB5FF-7189-6442-5701-00000000DD02}28645488C:\Windows\system32\csrss.exe{223CB5FF-7C2E-6442-8203-00000000DD02}6944C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.428{223CB5FF-7C2E-6442-7B03-00000000DD02}66486540C:\Windows\system32\cmd.exe{223CB5FF-7C2E-6442-8203-00000000DD02}6944C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.435{223CB5FF-7C2E-6442-8203-00000000DD02}6944C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:06:06.412{223CB5FF-7C2E-6442-8103-00000000DD02}6768C:\Windows\system32\reg.exeHKU\S-1-5-21-2249407279-2659954650-342429190-500\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtectionDWORD (0x00000001) 23542300x800000000000000024741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.371{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E21275741975DAA3BA8C91EF41312C97,SHA256=7FA42A7526A71EBB3DF2FE5CD2C089E8E89E227CA463EBEF69D519169F61E9CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.327{223CB5FF-7C2E-6442-7C03-00000000DD02}22125668C:\Windows\system32\conhost.exe{223CB5FF-7C2E-6442-8103-00000000DD02}6768C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.327{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.327{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.327{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.327{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.327{223CB5FF-7189-6442-5701-00000000DD02}28645488C:\Windows\system32\csrss.exe{223CB5FF-7C2E-6442-8103-00000000DD02}6768C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.327{223CB5FF-7C2E-6442-7B03-00000000DD02}66486540C:\Windows\system32\cmd.exe{223CB5FF-7C2E-6442-8103-00000000DD02}6768C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.336{223CB5FF-7C2E-6442-8103-00000000DD02}6768C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:06:06.312{223CB5FF-7C2E-6442-8003-00000000DD02}7064C:\Windows\system32\reg.exeHKU\S-1-5-21-2249407279-2659954650-342429190-500\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtectionDWORD (0x00000001) 10341000x800000000000000024731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.298{223CB5FF-7C2E-6442-7C03-00000000DD02}22125668C:\Windows\system32\conhost.exe{223CB5FF-7C2E-6442-8003-00000000DD02}7064C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.298{223CB5FF-7189-6442-5701-00000000DD02}28642888C:\Windows\system32\csrss.exe{223CB5FF-7C2E-6442-8003-00000000DD02}7064C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.298{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.298{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.298{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.298{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.298{223CB5FF-7C2E-6442-7B03-00000000DD02}66486540C:\Windows\system32\cmd.exe{223CB5FF-7C2E-6442-8003-00000000DD02}7064C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.307{223CB5FF-7C2E-6442-8003-00000000DD02}7064C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:06:06.281{223CB5FF-7C2E-6442-7F03-00000000DD02}3316C:\Windows\system32\reg.exeHKU\S-1-5-21-2249407279-2659954650-342429190-500\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoringDWORD (0x00000001) 10341000x800000000000000024722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.281{223CB5FF-7C2E-6442-7C03-00000000DD02}22125668C:\Windows\system32\conhost.exe{223CB5FF-7C2E-6442-7F03-00000000DD02}3316C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.281{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.281{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.281{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.270{223CB5FF-7189-6442-5701-00000000DD02}28645488C:\Windows\system32\csrss.exe{223CB5FF-7C2E-6442-7F03-00000000DD02}3316C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.270{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.270{223CB5FF-7C2E-6442-7B03-00000000DD02}66486540C:\Windows\system32\cmd.exe{223CB5FF-7C2E-6442-7F03-00000000DD02}3316C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.280{223CB5FF-7C2E-6442-7F03-00000000DD02}3316C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:06:06.270{223CB5FF-7C2E-6442-7E03-00000000DD02}4664C:\Windows\system32\reg.exeHKU\S-1-5-21-2249407279-2659954650-342429190-500\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpywareDWORD (0x00000001) 10341000x800000000000000024713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.255{223CB5FF-7C2E-6442-7C03-00000000DD02}22125668C:\Windows\system32\conhost.exe{223CB5FF-7C2E-6442-7E03-00000000DD02}4664C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.255{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.255{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.255{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.255{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.255{223CB5FF-7189-6442-5701-00000000DD02}28642888C:\Windows\system32\csrss.exe{223CB5FF-7C2E-6442-7E03-00000000DD02}4664C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.255{223CB5FF-7C2E-6442-7B03-00000000DD02}66486540C:\Windows\system32\cmd.exe{223CB5FF-7C2E-6442-7E03-00000000DD02}4664C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.264{223CB5FF-7C2E-6442-7E03-00000000DD02}4664C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 13241300x800000000000000024705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328T1484SetValue2023-04-21 12:06:06.255{223CB5FF-7C2E-6442-7D03-00000000DD02}3460C:\Windows\system32\reg.exeHKU\S-1-5-21-2249407279-2659954650-342429190-500\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtectionDWORD (0x00000000) 10341000x800000000000000024704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.255{223CB5FF-7C2E-6442-7C03-00000000DD02}22125668C:\Windows\system32\conhost.exe{223CB5FF-7C2E-6442-7D03-00000000DD02}3460C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.241{223CB5FF-7189-6442-5701-00000000DD02}286496C:\Windows\system32\csrss.exe{223CB5FF-7C2E-6442-7D03-00000000DD02}3460C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.241{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.241{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.241{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.241{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.231{223CB5FF-7C2E-6442-7B03-00000000DD02}66486540C:\Windows\system32\cmd.exe{223CB5FF-7C2E-6442-7D03-00000000DD02}3460C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.241{223CB5FF-7C2E-6442-7D03-00000000DD02}3460C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 0C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" " 10341000x800000000000000024696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.215{223CB5FF-718D-6442-6A01-00000000DD02}35962788C:\Windows\Explorer.EXE{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0815|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.215{223CB5FF-718D-6442-6A01-00000000DD02}35962788C:\Windows\Explorer.EXE{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e072e|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.215{223CB5FF-718D-6442-6A01-00000000DD02}35962788C:\Windows\Explorer.EXE{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e06f7|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.215{223CB5FF-718C-6442-6501-00000000DD02}40162116C:\Windows\system32\taskhostw.exe{223CB5FF-7C2E-6442-7C03-00000000DD02}2212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.215{223CB5FF-718C-6442-6501-00000000DD02}40162116C:\Windows\system32\taskhostw.exe{223CB5FF-7C2E-6442-7C03-00000000DD02}2212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.203{223CB5FF-718D-6442-6A01-00000000DD02}35966832C:\Windows\Explorer.EXE{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0815|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.203{223CB5FF-718D-6442-6A01-00000000DD02}35966832C:\Windows\Explorer.EXE{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e072e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.203{223CB5FF-718D-6442-6A01-00000000DD02}35966832C:\Windows\Explorer.EXE{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e06f7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.200{223CB5FF-718D-6442-6A01-00000000DD02}35966832C:\Windows\Explorer.EXE{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c437|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.199{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7C2E-6442-7C03-00000000DD02}2212C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0ea0|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.196{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7C2E-6442-7C03-00000000DD02}2212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+bb490|C:\Windows\System32\SHELL32.dll+e0e5c|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.196{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7C2E-6442-7C03-00000000DD02}2212C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e0e30|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.196{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7C2E-6442-7C03-00000000DD02}2212C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12c9d9|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.181{223CB5FF-6DE2-6442-1100-00000000DD02}968388C:\Windows\system32\svchost.exe{223CB5FF-7C2E-6442-7C03-00000000DD02}2212C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.181{223CB5FF-6DE2-6442-1100-00000000DD02}9681148C:\Windows\system32\svchost.exe{223CB5FF-7C2E-6442-7C03-00000000DD02}2212C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6154|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14462|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.181{223CB5FF-7C2E-6442-7C03-00000000DD02}22125668C:\Windows\system32\conhost.exe{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.171{223CB5FF-7189-6442-5701-00000000DD02}28645488C:\Windows\system32\csrss.exe{223CB5FF-7C2E-6442-7C03-00000000DD02}2212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6ce4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.156{223CB5FF-6DE2-6442-1200-00000000DD02}1041008C:\Windows\System32\svchost.exe{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+452ce|C:\Windows\System32\RPCRT4.dll+27d07|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.156{223CB5FF-6DE2-6442-1200-00000000DD02}1041008C:\Windows\System32\svchost.exe{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+452ce|C:\Windows\System32\RPCRT4.dll+27d07|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.156{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.156{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.156{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.156{223CB5FF-6DE2-6442-0C00-00000000DD02}728916C:\Windows\system32\svchost.exe{223CB5FF-6DE3-6442-1B00-00000000DD02}1936C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.156{223CB5FF-7189-6442-5701-00000000DD02}286496C:\Windows\system32\csrss.exe{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000024672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.156{223CB5FF-718D-6442-6A01-00000000DD02}35966864C:\Windows\Explorer.EXE{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Windows\System32\windows.storage.dll+5ce6f|C:\Windows\System32\windows.storage.dll+5cae5|C:\Windows\System32\windows.storage.dll+5c5d6|C:\Windows\System32\windows.storage.dll+5da48|C:\Windows\System32\windows.storage.dll+5c3fe|C:\Windows\System32\windows.storage.dll+5ef9d|C:\Windows\System32\windows.storage.dll+5f6dc|C:\Windows\System32\windows.storage.dll+5ea40|C:\Windows\System32\windows.storage.dll+17261e|C:\Windows\System32\windows.storage.dll+172312|C:\Windows\System32\SHELL32.dll+4c929|C:\Windows\System32\SHELL32.dll+4b4d6|C:\Windows\System32\SHELL32.dll+6d049|C:\Windows\System32\SHELL32.dll+e480e|C:\Windows\System32\SHELL32.dll+15474c|C:\Windows\System32\SHELL32.dll+1544a3|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000024671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:06.164{223CB5FF-7C2E-6442-7B03-00000000DD02}6648C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Temp\simulate_dummy_reg.bat" "C:\Temp\WIN-HOST-CTUS-A\Administrator{223CB5FF-718B-6442-F6C5-110000000000}0x11c5f62HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{223CB5FF-718D-6442-6A01-00000000DD02}3596C:\Windows\explorer.exeC:\Windows\Explorer.EXE 354300x800000000000000024855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:05.442{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50572-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:07.198{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B65AC6643B2C40FF37479C4C617B51D,SHA256=A54022FA50F4BF57630023196DC2F8B44ED3BD2F4352CA2BF311F0EDF584AB01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:07.113{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2AE28AA614270D56F439A9EC113C144,SHA256=205742FA70B6E2F0FBDFA7BD206FEFE2830FA0423F13FD35D29DC1612C55CCCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:08.255{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=135A7CCBEEEC56CCEC1AA02F07355B79,SHA256=44BC51A708C36F3C41A2D5BFA9FD21DD002629485B698AC7D98B0CEB694CDBB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:05.139{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51812-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:08.047{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=452DA1A365377A8FF601623D6CB395DC,SHA256=FAD700595CA9451A10A19A444A1CF04440ECDBA3446DE0F226DF0C7C732AEBBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:08.020{223CB5FF-6DE2-6442-1300-00000000DD02}288NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=265405330A45E354727A215AE76067E9,SHA256=A17115F4F69CA7DB469972C3E8904E0ABFC9C066AEFD5E58076119549990DE64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:09.282{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6A1BCF98B91429B2D4B76D9ADBC2844,SHA256=5C2109BEF9AE4012BC6B39B7CB6818B717EF4943499E2C63114DB0B4A818F647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:09.166{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=900E19CA0A2FEF68B648B507EF593F00,SHA256=334B503E6400D52F7BAF0EB028E06843C98682444990A58ADC006E11DAD50985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:10.326{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FCC09BD3AE868341377CE67CB8CC207,SHA256=3DE86EA17EEC0A3173443EF9AD3A92435A222EE2F537103B697854D505E624B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:10.265{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1339ABF054BFD3CB52CD78DA0435F7A8,SHA256=F6C6226B64E0C7112E5D01BA2CADF197D489C50BF7F18FA9AE1E601C3E675C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:11.444{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA676C0C721652CD7D657E37DDD3FD0F,SHA256=584E2D6B9509865B6D702DD4B76F43255008D957639B24E6973557A53F991E77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:11.380{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A15675B170C8369091542D7493F81280,SHA256=86DD20619E986F161074CD727EE34371429BB3B8C16CBC599A54D670C541813B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:12.489{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=459A84A45B56730D81F9CCB6BE38509C,SHA256=1C1078A25F894079DE6D34475A8D1D98F84CE67AE85C5B6D17EE400B1B91E25B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:12.396{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34CA7C708A4CD0FD6968D577ACC30977,SHA256=B4617FC75A20226990996D5A109630B0952F5F4504CCD40310B747354EEFBA07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:13.549{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2990ADF8BEE955EA03B760CBE0B56E74,SHA256=47DEA2FB8ECE5BB2E42BB234F188E9C3E2AA9A6D05D7852EBE9AB2214B279C61,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:10.203{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51813-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:13.511{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D68FBD57EC273A6CF7E6679069C553EC,SHA256=24FFDD3607732295749F67FBAECC977EB9F08562C2E9A4AE498EBE3462C86495,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000024868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:13.080{223CB5FF-718D-6442-6A01-00000000DD02}35962788C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0815|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:13.079{223CB5FF-718D-6442-6A01-00000000DD02}35962788C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+e072e|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:13.079{223CB5FF-718D-6442-6A01-00000000DD02}35962788C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B201-00000000DD02}2476C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e06f7|C:\Windows\Explorer.EXE+3c648|C:\Windows\Explorer.EXE+3c4d4|C:\Windows\Explorer.EXE+3c441|C:\Windows\System32\windows.storage.dll+ebbef|C:\Windows\System32\windows.storage.dll+ea96f|C:\Windows\System32\windows.storage.dll+19e10f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:13.073{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+deccf|C:\Windows\System32\SHELL32.dll+e0ea0|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:13.072{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+bb490|C:\Windows\System32\SHELL32.dll+e0e5c|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:13.072{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\SHELL32.dll+def24|C:\Windows\System32\SHELL32.dll+e0e30|C:\Windows\System32\TwinUI.dll+12cba1|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000024862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:13.072{223CB5FF-718D-6442-6A01-00000000DD02}35964692C:\Windows\Explorer.EXE{223CB5FF-7293-6442-B301-00000000DD02}5648C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Windows\System32\TwinUI.dll+12c9d9|C:\Windows\System32\TwinUI.dll+12d40f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:14.965{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7C36-6442-9E06-00000000DC02}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:14.965{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:14.965{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:14.965{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:14.965{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:14.965{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7C36-6442-9E06-00000000DC02}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:14.965{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7C36-6442-9E06-00000000DC02}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:14.965{AF4EC832-7C36-6442-9E06-00000000DC02}5140C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:14.629{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=690FA0CEE309A21480075021BFB14F20,SHA256=E4D2B9D357C79860AF36E11629E5C5A474AB977500D3F3B5D7E3F7A736363116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:14.594{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46415DAA847972A14A650361E0E986F,SHA256=68260BFEF1390768186323395030587D1C8C2FF69008BF6E63A1AF6DC9FDC724,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:11.386{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50573-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:15.764{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C60D6E6BB0EBD3F7FEBAD4173B899334,SHA256=75215A3848831C001837CD93FE4A14861183F928790C5711A70EDCE6A9C038BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:15.671{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89A43E63EE5ED8CDDF807208BB5C4404,SHA256=0A9C712BFDB9C650F2806488DAE235E9027B73DF57C320CE0B37C6CBB9BC63DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:16.755{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3965893869A9DB2B69EE1FDB232A2E5F,SHA256=02345903A77936B2BD41D8FE8D61EDD4B30092A42D5AE189F7055EAE0E798AB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:16.895{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF0108F6370070147381FB22E7050E1,SHA256=8EBB6E51BCC0695E4518464686AFD2A27C22CDFB058576AB8BD05DFA157C5AE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:16.049{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3B692462E73B5941BDD574DD50C84DE,SHA256=51C46953A37A1DF3BA41318E4F8DBAE75A17C10892E8DC79B0A5B8D12129966D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:17.774{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E7495940A5D716A6765764E49E7D27D,SHA256=F8D90DA289C68E0F23432E639B06AB05D184775AE7BF77ED21B3642737182BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:17.910{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E5A4978BED108B5E0B7B9D42C722610,SHA256=474A6A6E9E1DB3836172021CC29D9B19E1478B206A5CD27FA61306A34AE485CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:17.848{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7C39-6442-A006-00000000DC02}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:17.844{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:17.844{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:17.844{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7C39-6442-A006-00000000DC02}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:17.844{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:17.844{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:17.844{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7C39-6442-A006-00000000DC02}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:17.845{AF4EC832-7C39-6442-A006-00000000DC02}5440C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:17.495{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=434643E139B7F058CD9A5F8478A75725,SHA256=6236EABA9B46A32881282A7D21877F41A91BCEB80ACC5CBE8DEEEBEE926E8708,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:17.163{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7C39-6442-9F06-00000000DC02}6200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:17.163{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:17.163{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:17.163{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:17.163{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:17.163{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7C39-6442-9F06-00000000DC02}6200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:17.163{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7C39-6442-9F06-00000000DC02}6200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:17.164{AF4EC832-7C39-6442-9F06-00000000DC02}6200C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:18.802{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3557B87E4C4EAEE21BF60BC3009ACE,SHA256=EBF095DBF3D8E25E12A897CA20C5794DB6E8008513685396294E59FACF8692DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:15.321{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51814-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000029416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:18.695{AF4EC832-7C3A-6442-A106-00000000DC02}63486016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:18.511{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7C3A-6442-A106-00000000DC02}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:18.511{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:18.511{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:18.511{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:18.511{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:18.511{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7C3A-6442-A106-00000000DC02}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:18.511{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7C3A-6442-A106-00000000DC02}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:18.512{AF4EC832-7C3A-6442-A106-00000000DC02}6348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:18.063{AF4EC832-7C39-6442-A006-00000000DC02}54402368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000024878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:19.847{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F417FB4BF1B2816211726B9B5BC1DAB0,SHA256=8C92172F9A99311731379DB4201A41764C4D0B7C4AA80DEDAA9C2E56946268F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:19.636{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:16.395{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50574-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x800000000000000029427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:19.511{AF4EC832-7C3B-6442-A206-00000000DC02}46565092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:19.329{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7C3B-6442-A206-00000000DC02}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:19.329{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:19.329{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:19.329{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:19.328{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:19.328{AF4EC832-6B60-6442-0500-00000000DC02}4128C:\Windows\system32\csrss.exe{AF4EC832-7C3B-6442-A206-00000000DC02}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:19.328{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7C3B-6442-A206-00000000DC02}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:19.327{AF4EC832-7C3B-6442-A206-00000000DC02}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:19.029{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B97DDE53DBF61FA41DF67EA5D6BD89A3,SHA256=E93A6221F8957508F75CA955981F81A1800A7C1455E93427B630D51D73353403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:20.883{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82C7BA972EF2E34C20D6D0B19175F04C,SHA256=AC1CDD5290D8C0D014738E22B7F63151645CACDC8D86E9DDD440688B61CD330C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:20.680{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7C3C-6442-A406-00000000DC02}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:20.680{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:20.680{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:20.680{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:20.680{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:20.680{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7C3C-6442-A406-00000000DC02}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:20.680{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7C3C-6442-A406-00000000DC02}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:20.681{AF4EC832-7C3C-6442-A406-00000000DC02}6164C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:20.181{AF4EC832-7C3B-6442-A306-00000000DC02}37524380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000029436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:20.097{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D555417B3F5E3863340F12FA7090572D,SHA256=FE117359821450223538ACD6A74AD7375F760D18D3B020179B143140CC875127,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:19.997{AF4EC832-6BFF-6442-BA00-00000000DC02}48484880C:\Windows\system32\conhost.exe{AF4EC832-7C3B-6442-A306-00000000DC02}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:19.997{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:19.997{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:19.997{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:19.997{AF4EC832-6B62-6442-0C00-00000000DC02}8403796C:\Windows\system32\svchost.exe{AF4EC832-6B71-6442-2600-00000000DC02}2592C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+5ea34|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a8d3|C:\Windows\System32\RPCRT4.dll+d4c81|C:\Windows\System32\RPCRT4.dll+1f8bc|C:\Windows\System32\RPCRT4.dll+45864|C:\Windows\System32\RPCRT4.dll+4477d|C:\Windows\System32\RPCRT4.dll+4502b|C:\Windows\System32\RPCRT4.dll+27edc|C:\Windows\System32\RPCRT4.dll+2835c|C:\Windows\System32\RPCRT4.dll+37aac|C:\Windows\System32\RPCRT4.dll+3930b|C:\Windows\System32\RPCRT4.dll+3efba|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000029430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:19.997{AF4EC832-6B60-6442-0500-00000000DC02}412524C:\Windows\system32\csrss.exe{AF4EC832-7C3B-6442-A306-00000000DC02}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000029429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:19.997{AF4EC832-6BFE-6442-B600-00000000DC02}46603996C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AF4EC832-7C3B-6442-A306-00000000DC02}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7424|C:\Windows\System32\KERNELBASE.dll+24890|C:\Windows\System32\KERNELBASE.dll+22e56|C:\Windows\System32\KERNEL32.DLL+1c363|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000029428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:19.998{AF4EC832-7C3B-6442-A306-00000000DC02}3752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AF4EC832-6B61-6442-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000024880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:21.936{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB49E3011BC0ECF76D14C5833CFD50CF,SHA256=18F1612EDE624737D2E5575F80A0554A1CF0EE2B08606C5A176BE90C2DB6A8DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:21.366{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747ABB096720DCD89FF5945E1ECD0A28,SHA256=5E8A7343FD444D584F406120E50ABF7F2EF0CD0749076B6F7638228C742EE0F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:21.130{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B25E881B42900C6167A0420E6F40C7E,SHA256=1B6CA3A195ECC22B5711F58603B2FA270F55A576C9637EEE5FDEF4F0F5D28741,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:18.891{223CB5FF-6E46-6442-9A00-00000000DD02}876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50575-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000029448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:22.466{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6BA55CA9AE78F209CBD43BAA3D0338A,SHA256=BBCDB50426BAC098F13A45B5037856FD23B86FB8B19CC6DE006515989EB70456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:23.497{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD45AB56438564C9F08C860582D10AA8,SHA256=F77E072990C8BCBA6D25E0D1C27B49DDEC7712F215728370EA3C8ABAC200E84B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:23.088{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F62C53ECB1DD8B21067E85D8FECEA11,SHA256=8D998DB227BB0866876DC79942FF4792236DD440197DC762D8CD639A87B0CEC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:21.204{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51815-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000029450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:24.529{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA266BB3629727D09F312E8BBDFBA298,SHA256=A739055E780E27ED1091771A2A2FE49DF66DDE2894C6B4C42A052E8006089D0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:21.408{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50576-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:24.156{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E66DB7694324F32D3FE0E96670C4C27,SHA256=8FB5B52236D87B31BEDA91F5CE29AEEB1B64414BF1B78E6C7280A4C327B7711F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:25.612{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A260608811EED9BFBCFF3EA6922FE3B,SHA256=850D4435985C715AEA7C835B2E8ADC22F7F03793E5A2995C963A255E45BA4AED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:25.217{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C353377C59B4831CE928CAFE7F777043,SHA256=21EE2E16B2A8646FDD9127E9B5BB4363673A73B771C2316A666BAB68579D219F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:26.745{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A885139581A59C564C1BDAC678D5C7,SHA256=08910C7487BEA9BE9FF76F96E1D92A945F0877BA4AF513E94CDE51AC8A76074E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:26.262{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA3931026DE887792AFD70544E9E3DCD,SHA256=E64F60A2AA8FB479DD8D601EB4F4C6209831191384B4529879F5106D23B8D50F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:27.829{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14CD9F019C212FA86B4899FA1536D904,SHA256=39FE472ECD88C68F04E8542FD084DABE8573FF54BB9474F9575DCE0FC78DD105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:27.812{AF4EC832-6BFE-6442-B600-00000000DC02}4660NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=FC00D52D1CE6373F9B005D09243F0470,SHA256=6F30FAEFEFE3438CF7D1558EADA5DC8114EA4149E2DFB23266F89D928AE9552D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:27.880{223CB5FF-6E46-6442-9A00-00000000DD02}876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9A4D533A3A222F4A3A907CAC7C79B87E,SHA256=5D6BE0F9521829A92DA31F86D841744881C83461FCB5306F2CC09F97406B957C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:27.296{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7362A3232D9E44003D7977CFEDF09DC,SHA256=F84526818435E9C7BC8D6EE4F346D523064A0C15F43B215BFFFF0D7DDB0E711A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:25.853{AF4EC832-6BFE-6442-B600-00000000DC02}4660C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51816-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x800000000000000029456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:28.930{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0A2D6A7A1B56356EBF4E18D2C318D9,SHA256=436866B16A0A41E360B86C072B5CFD49A51AB986E43CA0B40ABE682AA5270691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:28.324{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F707AC16CB43B42CC48D84E51FBE8A9F,SHA256=DCE3C24696F3383D343056A22F99AA18E8E66995F86A409DB5DA1AEEAB2098B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:27.366{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50577-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:29.368{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D78B4C6C5CF20FE39381388EBA05920,SHA256=455B3ADE62B7F545C5D70AB3FEE2A00C052EDC12F3D8F6C226E9A31699CFBC92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:30.404{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E3D23C710C7A66D7FF286B792ACB9BB,SHA256=86E290FE71E1C858A416F4CC9D749B388C3098777A4B53AC3F41CD88D2E18C04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:30.396{AF4EC832-6B63-6442-1300-00000000DC02}776NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4F9331A305C0235BD6FA754E918F1202,SHA256=ADA4F2864D24CD1EF4D2E4B8338AD7D003B225211C4C00F107BFEA94124E9DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:30.065{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2FEA6F91B61540606DD5AECD90FC12,SHA256=3C7FC8D655833E8777E7503F7D2213EB415F22BBF625D658F611A816B0A9A0BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:31.436{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3578EA48F6424F76D608DA29E3248E8,SHA256=190FC2B3E7C1CC11CAA1C9B1ECB28AE991A844872214927D64365E8ABC8CB528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:31.683{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\respondent-20230421105444-069MD5=F8AB7BE3A9A5F568047CB5CBE0FEEC45,SHA256=CE70B2819540402430FAA5D05D2F20B9AEF41679754A4AF06E24EB03A4A7623B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:31.166{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362E88A36894FB8111F8AFC59F917B35,SHA256=436F2ABDF0A6C4FB94F5E7F46A1A1C9F4B27962FE9AD76C0FCA629E71A82712E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:27.207{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51817-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:32.495{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=293CA728055F853D46F4C4622185305C,SHA256=C08BB3416AE476BFF86A26C9DCDF61508BB61AA2C982FD2EA19AF299C801CF68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:32.683{AF4EC832-6B71-6442-2400-00000000DC02}2476NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fcdb579a37d1eb18\channels\health\surveyor-20230421105442-070MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:32.231{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A4FD6FBF499DBF9DFD1E11922F5E65F,SHA256=97EB50864A1EA3B7A1311B0662A2C83F61212CF65E8B1472330621E3FCC9FF47,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:28.945{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal58233- 354300x800000000000000029463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:28.944{AF4EC832-6B71-6442-2200-00000000DC02}2456C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.us-east-2.compute.internal50052- 23542300x800000000000000024895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:33.541{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CCF415C25C9526C5FCADAC6A54289FC,SHA256=AB65607EC655C0D070EAA49C4B12C86783B3C084BE9F65BF2047F1FFB87326C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:33.267{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FD7BD96FF7283DDFE9BB2769569E2CC,SHA256=029C733ED5D8FDC397D8A0903BE4AC82A37A5ED15DC15A0A3F59F58F231E94BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:33.130{AF4EC832-6B63-6442-0D00-00000000DC02}8964028C:\Windows\system32\svchost.exe{AF4EC832-6B63-6442-1600-00000000DC02}1336C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6154|C:\Windows\System32\KERNELBASE.dll+2c44d|c:\windows\system32\rpcss.dll+2d25d|c:\windows\system32\rpcss.dll+3a6d6|c:\windows\system32\rpcss.dll+3c904|c:\windows\system32\rpcss.dll+29457|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000024896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:34.599{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E4AB0F314799767AA26B323E1DBB37,SHA256=E58C29C069CC6EEBC7B6C1E7915BFB6F6E2AB4CAEEE4B4A999456A87C7AE5831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:34.300{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1586AA7B8913DD308849327F0EC19145,SHA256=1866AA260C2A1892415031A0100988EA977A3AA224A14CBCDB8E4BE227A06621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:35.619{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07622382AEA0E4C5AC1A5730065D450,SHA256=204AA0BAC6868EF2DA0DDC57235CC108E1E3C4FDE6960F5DFFD0E041749F4A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:35.352{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99460D37DBC35EB76EB20FE6DFA433B1,SHA256=E13010352DDA163AB901D12D64AEE885E483A64E8683372455DD9C40F73A11CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:32.436{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50578-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:36.672{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69A936515EE73F421356FBA39231C2C,SHA256=1FF20FFA27B75F80137412CE8A37F916A03A779B1CB4D3A8E50C74A65A9E8A67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:36.373{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F789E6DD1D25FBD0CC213D2FACB18D2F,SHA256=6072DFCD5CEC2EF96638A1AAB56C959398C2367545356F69F7DC6FF657389CE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000024900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:37.806{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C178EA186944D37C548613DA548A6C77,SHA256=CBE070CA862514DF3384DBE33F1D6F5C58A4958F681FE5DEA9D8790C859EBF91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:37.491{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D32166BFA7BD062E90AF10474FCC9DD,SHA256=6EEC6B64B62E85B99DAC41D7481F7E14C212A1DDBBD23D537B7FAE9709A7DF8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:33.208{AF4EC832-6C09-6442-E700-00000000DC02}2972C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-616.attackrange.local51818-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x800000000000000024901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:38.851{223CB5FF-6E54-6442-E600-00000000DD02}532NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCD16020D6B0014EA4E9236E88757562,SHA256=F7E88C88656C9FDDEE15353C389D139EAF9A6C7A0FD63133DE123990693B6536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:38.508{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC0F26D1ECD2C9341991F55BDCEBE3B0,SHA256=CAB94DF8AD5630259094EE1D5DB1385A142BC8C8B22838EB4B72904C80C2425D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-616.attackrange.local-2023-04-21 12:06:39.526{AF4EC832-6C0F-6442-0001-00000000DC02}5024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E36194284A22005BFFFDF4E6F5DAACC0,SHA256=78AE7A329F52EDEAFAC311C34E1DC092B57CC7F099EF18049D385B7E381E0EBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000024902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-328-2023-04-21 12:06:37.446{223CB5FF-6E4E-6442-CC00-00000000DD02}2020C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-328.us-east-2.compute.internal50579-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000-